- Criminals found with Skype to deliver images hiding malware
- The victims were mostly SMB in the Middle East
- Malware is new, but it seems to have distant relatives
Cybercriminals have been found using Skype Messenger to deliver malware of remote access Trojans (rat), compromise the victim’s computers and open the doors for devastating stage two attacks.
Kaspersky cybersecurity researchers recently discovered a variant of previously invisible malware called Godrat that is distributed through malicious screen collection files, disguised as financial documents.
Unusually, criminals were delivering malware to their victims through Skype Messenger until March 2025, when they turned to other channels.
Godrat malware that is spreading
First, computer pirates would share false financial data in an image file. When using steganography, shellcode would hide in the files that, when activated, download the Godrat malware from a third -party server.
The rat collects details of the operating system, local host name, malware process name and process ID, the user account associated with the malware process, the antivirus software installed and the presence of a capture controller.
After that, Godrat can receive additional accessories, depending on the initial information shared with the attackers. These complements can be file explorers or password stolen.
In some cases, criminals used Godrat to deploy Asynchrate, a secondary implant that gave them prolonged access, if not permanent.
“Godrat seems to be an evolution of Awesomepuppet, which Kaspersky reported in 2023 and is probably linked to the Winnti APT. Its distribution methods, rare command line parameters, code similarities with GH0ST Rat and shared artisfacts, as a distinctive hingeprient header, suggest a common origin,” said Saurabh Sharma, Kaspersky security researcher.
“Godrat’s discovery demonstrates how so old tools can remain relevant in the current cybersecurity panorama,”
Kaspersky did not discuss the number of victims, or a potential success rate of the campaign, but stressed that the victims were mostly small and medium enterprises (SMB) in EAU, Hong Kong, Jordan and Lebanon.
