Skype Delivered SCR and PIF Files Deploy GodRAT Malware in Financial Campaigns

Threat Group: Winnti (APT41) – suspected attribution based on code lineage and targeting
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Social engineering via Skype delivering malicious .SCR and .PIF files containing steganographic shellcode in JPEGs and DLL sideloading
Malware Used: GodRAT – evolution of Gh0st RAT and AwesomePuppet, featuring plugin-based architecture
Threat Score: 🔴 High (8.0/10) – Advanced evasion (steganography, DLL sideloading), credential theft, plugin expansion, source code availability, and financial-sector targeting
Last Threat Observation: 19 August 2025 – Active campaigns against trading and brokerage firms in Hong Kong, UAE, Lebanon, Malaysia, and Jordan

Overview

GodRAT is a newly identified and highly sophisticated Remote Access Trojan (RAT) that has rapidly emerged as a significant threat to financial institutions. It is actively targeting trading and brokerage firms across Hong Kong, the UAE, Lebanon, Malaysia, and Jordan. With a High (8.0/10) threat score, this classification reflects its advanced evasion capabilities, plugin-driven modularity, and focus on high-value targets.

GodRAT represents an evolution of the Gh0st RAT lineage and incorporates features from the AwesomePuppet implant. Its delivery leverages Skype-distributed .SCR and .PIF files, often disguised as financial documents, which unpack steganographically hidden shellcode embedded in JPEG images. Execution involves DLL sideloading into trusted Windows processes, allowing persistence and stealth. Once active, GodRAT can deploy plugins for file system operations, browser credential theft, and even secondary implants such as AsyncRAT.

Attribution points strongly toward Winnti (APT41). This group’s operations blend state espionage with financial crime, and the targeting of trading platforms aligns with its historical focus. Compounding the threat, the source code for both the client and builder was uploaded to VirusTotal in July 2024, enabling proliferation by other threat actors. This development increases the risk of widespread adoption and customisation of GodRAT far beyond its original campaigns.

Key Details

Delivery Method:

• Malicious .SCR and .PIF files shared via Skype, disguised as financial documents
• Embedded JPEG images carrying hidden shellcode using steganography

Targets:

• Financial institutions, especially trading and brokerage firms in Asia and the Middle East

Functions:

• System reconnaissance (OS details, antivirus software, capture drivers, user context)
• FileManager plugin (FILE.dll) for file browsing, searching, and manipulation
• Credential theft from Chrome and Edge by decrypting stored passwords
• Secondary payload deployment (e.g. AsyncRAT)
• Remote execution and plugin injection over TCP

Obfuscation:

• Steganography to conceal shellcode inside JPEGs
• DLL sideloading and process injection into trusted executables (svchost.exe, cmd.exe, cscript.exe, QQMusic.exe, curl.exe, wscript.exe, QQScLauncher.exe)

Attack Vectors

1. Initial Access – Malicious .SCR and .PIF files delivered over Skype as financial documents.
2. Steganographic Shellcode – Extracts hidden payloads from JPEGs, bypassing traditional AV.
3. DLL Sideloading – Malicious DLLs injected into legitimate processes for stealth.
4. Plugin Expansion – Post-compromise deployment of FileManager, credential stealers, and AsyncRAT.

Indicators of Compromise (IoCs)

File Types:

• .SCR and .PIF executables with embedded DLLs
• JPEG images containing steganographic shellcode

IPv4

• 154[.]91[.]183[.]174
• 118[.]107[.]46[.]174
• 118[.]99[.]3[.]33
• 156[.]241[.]134[.]49

Domain

• wuwu6[.]cfd

CVE

• CVE-2025-29824

FileHash MD5

• 04bf56c6491c5a455efea7dbf94145f1
• 084caf4df499141d404b7199aa2c2131
• 160a80a754fd14679e5a7b5fc4aed672
• 17e71cd415272a6469386f95366d3b64
• 2750d4d40902d123a80d24f0d0acc454
• 31385291c01bb25d635d098f91708905
• 318f5bf9894ac424fd4faf4ba857155e
• 441b35ee7c366d4644dca741f51eb729
• 4ecd2cf02bdf19cdbc5507e85a32c657
• 512778f0de31fcce281d87f00affa4a8
• 58f54b88f2009864db7e7a5d1610d27d
• 5f7087039cb42090003cc9dbb493215e
• 605f25606bb925d61ccc47f0150db674
• 64dfcdd8f511f4c71d19f5a58139f2c0
• 6c12ec3795b082ec8d5e294e6a5d6d01
• 6cad01ca86e8cd5339ff1e8fff4c8558
• 8008375eec7550d6d8e0eaf24389cf81
• 961188d6903866496c954f03ecff2a72
• a6352b2c4a3e00de9e84295c8d505dad
• bb23d0e061a8535f4cb8c6d724839883
• cdd5c08b43238c47087a5d914d61c943
• cf7100bbb5ceb587f04a1f42939e24ab
• d09fd377d8566b9d7a5880649a0192b4
• e055aa2b77890647bdf5878b534fba2c
• e723258b75fee6fbd8095f0a2ae7e53c
• eb8d53f9276d67afafb393a5b16e7c61

Processes Abused:

• svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe, QQScLauncher.exe

Observed Payloads:

• FileManager plugin (FILE.dll)
• Chrome/Edge password stealer
• AsyncRAT as secondary implant

C2 Communication Patterns:

• TCP-based C2 communications
• Shellcode uses string “godinfo” with XOR 0x63 to decode config (IP, port, module args)
• Initial beacon sends string “GETGOD”
• 15-byte header includes magic bytes \x74\x78\x20

Mitigation and Prevention

User Awareness:

• Train staff to avoid opening .SCR and .PIF attachments from messaging platforms.

Filtering:

• Block executable file types (.SCR, .PIF, .EXE, .BAT, .COM) in email and chat systems.

Endpoint Security:

• Disable execution of .SCR and .PIF files.
• Implement application whitelisting to prevent DLL sideloading.
• Enforce signed DLL and executable loading only.

Identity Security:

• Enforce two-factor authentication (2FA) for financial accounts and admin access.
• Deploy Privileged Access Management (PAM) to restrict and monitor privileged accounts.

Monitoring & Detection:

• Use Sysmon/EDR to detect anomalous DLL loads in processes like svchost.exe.
• Monitor outbound TCP connections for GodRAT C2 patterns (“GETGOD”, magic header).
• Watch for creation of %AppData%\config.ini with suspicious strings.

Proactive Measures:

• Continuous threat hunting for anomalous DLL injections and steganographic loaders.
• Network segmentation to restrict lateral movement.
• Regular, offline backups for recovery from compromise.

Risk Assessment

GodRAT is rated High (8.0/10). Its advanced evasion (steganography, DLL sideloading), modular functionality, and targeting of financial institutions represent a critical risk. Source code availability increases its proliferation potential, lowering the barrier for cybercriminals to weaponise it. Consequences include credential theft, exfiltration of sensitive trading data, lateral movement across enterprise networks, operational disruption, regulatory consequences, and reputational damage.

Conclusion

GodRAT represents a modernised evolution of the Gh0st RAT family, with clear lineage from the AwesomePuppet implant. It combines proven frameworks with new evasion methods and a plugin-based model for tailored attacks. Its attribution to Winnti (APT41) suggests campaigns could serve both espionage and financial gain objectives.

The malware’s public source code release significantly increases the risk of widespread adoption, requiring defenders to adapt. Financial institutions in the targeted regions face the highest risk, but the potential for wider dissemination demands vigilance across all sectors. Proactive detection, robust endpoint monitoring, user awareness, and incident response readiness are essential.

Appendix A – GodRAT vs GobRAT

Sources

• The Hacker News – New GodRAT Trojan Targets Trading Firms Using Steganography and Gh0st RAT Code
• Securelist – Gh0st RAT-based GodRAT Attacks Financial Organizations
• Intelligent CISO – New GodRAT Trojan Targets Financial Sector via Skype
• OTX AlienVault - Indicators of Compromise