CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

GodRAT Trojan targets trading firms using steganography and Gh0st RAT code

First reported
Last updated
πŸ“° 1 unique sources, 2 articles

Summary

Hide β–²

A new remote access trojan, GodRAT, is targeting trading and brokerage firms through a campaign that uses steganography and Gh0st RAT code. The malware is distributed via Skype messenger, disguised as financial documents, and has been active since at least September 2024. GodRAT employs a plugin-based approach to harvest sensitive information and deliver secondary payloads, including AsyncRAT. The campaign has targeted financial institutions in several countries, including Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan. The malware uses steganography to conceal shellcode within image files, which is then used to download the malware from a command-and-control (C2) server. GodRAT is an evolution of another Gh0st RAT-based backdoor known as AwesomePuppet, which was first documented in 2023. The malware is believed to be the work of the Chinese threat actor, Winnti (aka APT41). The attackers have also been found to leverage ConnectWise ScreenConnect to deliver AsyncRAT, using a layered VBScript and PowerShell loader to execute obfuscated components from external URLs. The malware maintains persistence via a fake 'Skype Updater' scheduled task and can log keystrokes, steal browser credentials, fingerprint the system, and scan for installed cryptocurrency wallet desktop apps and browser extensions.

Timeline

  1. 11.09.2025 09:02 πŸ“° 1 articles Β· ⏱ 6d ago

    AsyncRAT leverages ConnectWise ScreenConnect to deliver payloads

    The attackers used ConnectWise ScreenConnect to gain remote access and execute a layered VBScript and PowerShell loader. The infection chain involved trojanized ScreenConnect installers masquerading as financial and other business documents sent via phishing emails. The PowerShell script retrieved and executed obfuscated components from external URLs. The malware maintained persistence via a fake 'Skype Updater' scheduled task. The AsyncRAT payload can log keystrokes, steal browser credentials, fingerprint the system, and scan for installed cryptocurrency wallet desktop apps and browser extensions. The malware exfiltrated collected information to a command-and-control (C2) server over a TCP socket. The C2 connection settings were either hard-coded or pulled from a remote Pastebin URL.

    Show sources
    Open in new tab
  2. 19.08.2025 17:33 πŸ“° 2 articles Β· ⏱ 29d ago

    GodRAT Trojan targets trading firms using steganography and Gh0st RAT code

    The campaign has also been found to leverage ConnectWise ScreenConnect to deliver AsyncRAT. The attackers use a layered VBScript and PowerShell loader to execute obfuscated components from external URLs. The malware maintains persistence via a fake 'Skype Updater' scheduled task and can log keystrokes, steal browser credentials, fingerprint the system, and scan for installed cryptocurrency wallet desktop apps and browser extensions. The infection chain involves trojanized ScreenConnect installers masquerading as financial and other business documents sent via phishing emails. The C2 connection settings are either hard-coded or pulled from a remote Pastebin URL.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Open in new tab

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 700 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

Open in new tab

New HybridPetya Ransomware Exploits UEFI Secure Boot Bypass Vulnerability

A new ransomware variant, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware but includes the ability to bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and can compromise modern UEFI-based systems. The ransomware operates through a bootkit and an installer, with the bootkit managing encryption and decryption processes. The ransomware has been observed in samples uploaded to VirusTotal in February 2025, with no evidence of active use in the wild. The vulnerability exploited by HybridPetya was patched in January 2025. The ransomware encrypts the MFT and displays a fake CHKDSK message to deceive victims. It demands a $1,000 ransom in Bitcoin, with a total of $183.32 received between February and May 2025. The ransom note provides an option for victims to enter a decryption key after payment, which triggers the decryption process. The bootkit also recovers legitimate bootloaders from backups created during installation. The ransomware triggers a system crash during bootloader changes, ensuring the bootkit binary is executed upon reboot. HybridPetya may be a research project, proof-of-concept, or early version of a cybercrime tool under limited testing. HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level.

Open in new tab

Chinese APT Group Deploys EggStreme Fileless Malware Against Philippine Military

A Chinese advanced persistent threat (APT) group has compromised a Philippine military company using a previously undocumented fileless malware framework called EggStreme. The malware, which injects malicious code directly into memory, enables extensive system reconnaissance, lateral movement, and data theft. The campaign began in early 2024 and remains active. The EggStreme framework includes multiple components: EggStremeFuel, EggStremeLoader, EggStremeReflectiveLoader, and EggStremeAgent. The framework uses DLL sideloading and a keylogger to harvest sensitive data and communicates with command-and-control (C2) servers using the Google Remote Procedure Call (gRPC) protocol. The malware's fileless nature and sophisticated evasion techniques make it difficult to detect and mitigate.

Open in new tab

Resurfaced ChillyHell macOS Backdoor Discovered

A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.

Open in new tab