New GodRAT Trojan Targets Trading Firms Using Steganography and Gh0st RAT Techniques

August 19, 2025
Malware / Cyber Attack

Financial institutions, particularly trading and brokerage firms, are currently facing a new threat from a remote access trojan known as GodRAT. According to Kaspersky researcher Saurabh Sharma, this malware is spread through malicious .SCR (screen saver) files disguised as financial documents sent via Skype Messenger. Active as recently as August 12, 2025, the attacks utilize steganography to hide shellcode within image files, enabling the download of the malware from a command-and-control (C2) server. Since September 9, 2024, these screen saver artifacts have targeted regions including Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan. Based on Gh0st RAT, GodRAT employs a plugin-based architecture to enhance its capabilities for gathering sensitive information and delivering additional payloads like AsyncRAT.

Emerging GodRAT Trojan Targets Trading Firms with Steganographic Techniques

On August 19, 2025, cybersecurity firm Kaspersky disclosed a significant new threat affecting trading and brokerage firms: a remote access Trojan (RAT) dubbed GodRAT. This new malware leverages a technique known as steganography to conceal its malicious code within image files, facilitating its delivery and execution while evading detection.

The GodRAT campaign has recently employed a clever distribution method through Skype messenger, with hackers sending seemingly innocuous .SCR (screen saver) files masquerading as legitimate financial documents. According to Kaspersky researcher Saurabh Sharma, the attacks have been active as recently as August 12, 2025. The Trojan is believed to be inspired by the well-known Gh0st RAT, which has laid the foundation for GodRAT’s functionalities.

The operational footprint of this malicious activity extends to several regions, including Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan. The earliest signs of this malware variant were detected in September 2024, highlighting a prolonged engagement with its targets.

GodRAT employs a modular design optimized for flexibility, utilizing plugins to enhance its capabilities. This design enables attackers to steal sensitive information and deploy additional malicious payloads, such as AsyncRAT, thereby multiplying the impact of the initial breach. The Trojan’s operation is indicative of current adversarial tactics that rely on obfuscation techniques and social engineering, which are consistent with the MITRE ATT&CK framework.

In terms of tactical maneuvering, GodRAT demonstrates initial access through phishing tactics, often executed via curated screen saver files that appeal to unsuspecting recipients. The use of steganography not only aids in bypassing standard security measures but also aligns with persistence tactics that attackers use to maintain long-term access to their victims’ networks.

Privilege escalation tactics may also be in play, as the Trojan’s dynamic plugins can be designed to exploit vulnerabilities within the targeted systems, thereby granting attackers elevated user roles. This capability significantly increases the potential damage, facilitating deeper intrusions into victim environments.

As technology practices evolve, so too do the methods employed by cybercriminals. Business owners in the financial sector are advised to remain vigilant and proactive in employing multi-layered security protocols, including regular updates to anti-malware solutions and employee training to identify phishing attempts. The GodRAT campaign underscores the importance of staying informed about emerging threats and adapting strategies to combat them effectively.

In light of these developments, organizations are encouraged to review their cybersecurity measures in alignment with the ever-evolving threat landscape, leveraging resources such as the MITRE ATT&CK framework for enhanced awareness and preparedness against similar attacks.

Source link

Related Posts

Exploitation of Apache ActiveMQ Vulnerability Leads to DripDropper Malware Deployment on Cloud Linux Systems

August 19, 2025
Linux / Malware

Threat actors are leveraging a nearly two-year-old security vulnerability in Apache ActiveMQ to gain persistent access to cloud-based Linux systems and install the DripDropper malware. In an unexpected turn, these unidentified attackers have been seen patching the exploited vulnerability after gaining access, likely to prevent further exploitation by others and to evade detection, according to a report from Red Canary shared with The Hacker News. “Follow-on command-and-control (C2) tools varied by endpoint and included Sliver and Cloudflare Tunnels, allowing for covert long-term control,” researchers Christina Johns, Chris Brook, and Tyler Edmonds noted.

The attacks exploit a critical security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0), a remote code execution vulnerability that enables the execution of arbitrary shell commands. This issue was addressed in late October 2023 but has since faced significant exploitation.

FBI Alerts on FSB-Linked Hackers Targeting Unpatched Cisco Devices for Cyber Espionage

Date: Aug 20, 2025 | Cyber Espionage / Vulnerability

A state-sponsored Russian hacking group, identified as Static Tundra, is exploiting a seven-year-old vulnerability in Cisco IOS and Cisco IOS XE software to gain persistent access to targeted networks. Cisco Talos revealed that these attacks are primarily aimed at telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Potential victims are selected based on their “strategic interest” to Russia, with recent targets focusing on Ukraine and its allies amid the ongoing Russo-Ukrainian conflict. The exploited vulnerability, CVE-2018-0171 (CVSS score: 9.8), is a critical flaw in the Smart Install feature of Cisco software, which may allow unauthorized remote attackers to initiate denial-of-service (DoS) attacks or execute arbitrary code.

🔍 Webinar: Uncover and Manage Hidden AI Agents in Your Enterprise Before Hackers Do

📅 Aug 20, 2025
Category: Artificial Intelligence / Enterprise Security

Do you know how many AI agents are currently operating within your organization? If you’re uncertain, you’re not alone—and that’s a significant concern. Every day, AI agents are being deployed across various industries, often initiated by business units eager for quick results, rather than just by IT. This creates a scenario where agents operate unnoticed—without proper identification, ownership, or activity logs. Essentially, they remain invisible.

👉 Register now for “Shadow Agents and Silent Threats: Securing AI’s New Identity Frontier” to learn how to proactively address this escalating issue.

The Hidden Dangers of Shadow AI Agents

Shadow agents aren’t merely benign assistants. If compromised, they can navigate through systems effortlessly, accessing sensitive data or elevating privileges at machine speed. Unlike humans, they are relentless, working around the clock without hesitation.

The reality is that most security programs weren’t designed to handle this challenge. They focus on managing people, not autonomous software agents. As the use of AI continues to rise, these circumstances pose a significant threat.

DOM-Based Clickjacking Vulnerability Threatens Popular Password Managers, Exposing Users to Credential and Data Theft

AUGUST 20, 2025
Vulnerability / Browser Security

Recent findings reveal that widely used password manager browser extensions are vulnerable to DOM-based clickjacking attacks, which can compromise users’ account credentials, two-factor authentication (2FA) codes, and credit card information under specific conditions. Independent security researcher Marek Tóth highlighted this risk during his presentation at DEF CON 33 earlier this month. “With just a single click on an attacker-controlled site, users’ sensitive data—including credit card details, personal information, and login credentials (including TOTP)—can be stolen,” Tóth explained. This new technique is versatile and could potentially target other extension types as well. Clickjacking, also known as UI redressing, involves manipulating users into executing seemingly benign actions on a website, while the real intent is to hijack their information.