Attack Chain
The malware is distributed via the Stargazers Ghost Network, a Malware Distribution-as-a-Service (DaaS) platform, using seemingly legitimate GitHub repositories. Key details of the campaign include:
- 200+ malicious GitHub repositories managed by over 225 Stargazer Ghost accounts.
- Four distinct attack waves between September 12 and October 3, 2024 targeting developers and gamers.
- GitHub repositories forked and starred to appear on the trending section, increasing their perceived legitimacy.
Stargazer Goblin, the threat actor behind Stargazers Ghost Network, has operated this DaaS since at least August 2022, earning more than $100,000 by distributing malware like RedLine, Lumma Stealer, and Atlantida Stealer.
Attack chain (Check Point)
Exploiting Godot Engine
While GodLoader primarily targets Windows systems, Check Point developed a proof-of-concept exploit to demonstrate its adaptability for Linux and macOS. However, Rémi Verschelde, a Godot Engine maintainer, clarified that the vulnerability is not inherent to Godot:
“The Godot Engine is a programming system with a scripting language, similar to Python or Ruby. Users must explicitly execute malicious files with the Godot runtime for an attack to occur.”
Godot does not automatically handle .pck files, meaning attackers must bundle their malicious payload with the runtime. As a result, these attacks require victims to manually unpack and run the files, making widespread exploitation more challenging than one-click malware.