New GodRAT Remote Access Trojan Exploits Skype to Compromise Financial Institutions
August 22nd, 2025
High
Our Cyber Threat Intelligence Unit is monitoring an active campaign targeting financial trading and brokerage companies, involving a new Gh0st RAT–based trojan (“GodRAT”). Delivered via malicious .SCR and .PIF files disguised as financial documents and shared over Skype, the malware uses steganography to extract hidden shellcode from images before deploying GodRAT. The Trojan has a plugin-based architecture, with modules such as a FileManager, Chrome/Edge password stealers, and AsyncRAT used for persistence. Active since late 2024, with the latest detections on August 12, 2025, institutions in Hong Kong, UAE, Lebanon, Malaysia, and Jordan have been targeted. Kaspersky considers GodRAT an evolution of AwesomePuppet, and likely connected to Winnti/APT41, though attribution remains unconfirmed.
Technical Details
Severity: High
Threat Type: Remote Access Trojan (Gh0st RAT derivative)
Targeted Sectors: Financial trading and brokerage firms.
Components Affected: Windows endpoints targeted via malicious .SCR and .PIF files; additional artifacts observed in %ALLUSERSPROFILE%\google\ and %LOCALAPPDATA%\bugreport\.
Attack Chain/Method:
Initial Vector: GodRAT is spread via malicious .SCR and .PIF files shared over Skype. These files imitate legitimate financial documents, deceiving users into opening them.
Exploitation: The loader employs steganography to extract shellcode concealed in image files, facilitating the execution of the RAT.
Payload Delivery: Once deployed, GodRAT operates using a plugin-based architecture. Detected plugins include FileManager for system reconnaissance and file manipulation. Adversaries also deploy Chrome and Edge password stealers, along with AsyncRAT as a secondary remote access tool.
Post-Exploitation and Persistence: Adversaries maintain long-term persistence through compromised hosts, allowing for data theft opportunities, lateral movement, and the deployment of additional malware.
Impact
Data Security: Theft of browser credentials, unauthorized access to trading accounts, and data exfiltration via AsyncRAT.
System Availability: Risk of downtime if systems are used for lateral movement or additional payload deployment.
Business Operations: Potential disruption to financial transactions and trading operations.
Compliance and Financial: Unauthorized access could result in regulatory scrutiny, financial loss, and costs associated with investigation and remediation.
Reputation: Breaches in the financial sector risk eroding customer trust and damaging institutional credibility.
Detection Method
Monitor outbound traffic to 103.237.92[.]191 and other GodRAT C2 nodes.
Inspect DNS queries for wuwu6[.]cfd (AsyncRAT C2).
Flag execution of .SCR and .PIF files from user directories or messaging app download folders.
Monitor suspicious file creations at:
%ALLUSERSPROFILE%\google\chrome.exe
%ALLUSERSPROFILE%\google\msedge.exe
%ALLUSERSPROFILE%\bugreport\LoggerCollector.dll
%LOCALAPPDATA%\bugreport\LoggerCollector.dll
%LOCALAPPDATA%\bugreport\bugreport_.exe
Watch for DLL sideloading activities involving LoggerCollector.dll.
Detect anomalies such as image files spawning executables or unusual process chains involving Skype/Telegram.
Review EDR/XDR logs for detections of listed MD5 hashes.
Indicators of Compromise
Type | Indicator |
MD5 Hash | d09fd377d8566b9d7a5880649a0192b4 |
MD5 Hash | 512778f0de31fcce281d87f00affa4a8 |
MD5 Hash | 8008375eec7550d6d8e0eaf24389cf81 |
MD5 Hash | 31385291c01bb25d635d098f91708905 |
MD5 Hash | 605f25606bb925d61ccc47f0150db674 |
IP Address | 103.237.92.191 |
Domain Name | wuwu6[.]cfd |
File Path | %ALLUSERSPROFILE%\google\chrome.exe |
File Hash | cf7100bbb5ceb587f04a1f42939e24ab |
File Hash | e723258b75fee6fbd8095f0a2ae7e53c |
File Hash | a6352b2c4a3e00de9e84295c8d505dad |
File Hash | 6c12ec3795b082ec8d5e294e6a5d6d01 |
File Hash | bb23d0e061a8535f4cb8c6d724839883 |
File Hash | 160a80a754fd14679e5a7b5fc4aed672 |
File Hash | 2750d4d40902d123a80d24f0d0acc454 |
File Hash | 441b35ee7c366d4644dca741f51eb729 |
File Hash | 318f5bf9894ac424fd4faf4ba857155e |
File Hash | 6cad01ca86e8cd5339ff1e8fff4c8558 |
File Hash | 58f54b88f2009864db7e7a5d1610d27d |
File Hash | 64dfcdd8f511f4c71d19f5a58139f2c0 |
File Hash | 04bf56c6491c5a455efea7dbf94145f1 |
File Hash | 5f7087039cb42090003cc9dbb493215e |
File Hash | cdd5c08b43238c47087a5d914d61c943 |
Recommendations
Isolate affected systems and block communication with listed IoCs.
Reset exposed credentials and enforce MFA across critical accounts.
Apply the latest OS and application updates.
Enforce restrictions on .SCR and .PIF execution via Group Policy or AppLocker.
Enhance EDR rules for detection of steganographic loaders and DLL sideloading.
Deploy network segmentation to limit lateral movement in financial trading environments.
Educate staff on risks of executing unexpected file types (e.g., .scr, .pif).
Encourage vigilance around Skype/Telegram file-sharing risks.
Conduct regular red-team exercises simulating RAT deployment.
Review incident response playbooks for RAT + credential stealer scenarios.
Conclusion
The GodRAT campaign demonstrates how adversaries are using social engineering and steganography to infiltrate financial institutions. With an evolving plugin-based RAT and secondary payloads like AsyncRAT and browser stealers, attackers aim to achieve long-term access and data exfiltration. Considering active exploitation observed as recently as August 2025, financial organizations should immediately prioritize containment, credential protection, and hunting for related IoCs to reduce exposure.