Stargazers Ghost Network, an extensive network of GitHub accounts and repositories that provides malware distribution “as-a-Service”, has created ‘GodLoader’ which hides in Godot engine .pck files as a Godot script – and then downloads malware when activated.

Utilizing a network of ghost accounts, they distribute all kinds of malware by relying on users browsing github and downloading Godot tools and engine cheats. To obfuscate things, they used more than 200 repos with more than 225 ghost accounts – each with a slightly different purpose in the entire distributed scheme. Researchers note the script method works across Windows, MacOS, and Linux since the Godot engine works across those platforms too.

Victims were often infected with cryptocurrency miners or RedLine infostealer. The method is good – it still remains undetected by many antivirus tools.

One more reason to put github projects you download into VM’s before giving them access to your dev environment.

Links:

• https://godotengine.org/article/statement-on-godloader-malware-loader/
• https://www.helpnetsecurity.com/2024/11/27/godot-engine-malware-loader-godloader/