Rectifyq📃Title: Gh0st RAT-based GodRAT attacks financial organizations
📅Date: 2025-08-19
🔗References:
Description
A newly identified Remote Access Trojan named GodRAT, based on the Gh0st RAT codebase, has been targeting financial firms since September 2024. The attackers distribute malicious .scr files via Skype, using steganography to embed shellcode in images. GodRAT supports plugins and is used alongside browser password stealers and AsyncRAT. The campaign, likely an evolution of the AwesomePuppet RAT connected to Winnti APT, remains active as of August 2025. Targets include organizations in Hong Kong, United Arab Emirates, Lebanon, Malaysia, and Jordan. The attackers employ various techniques to evade detection and maintain persistent access to compromised systems.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: malware-analysis
- sub-category: campaign-analysis
- target: broad-based
- MY-relevancy: relevant
🔖MISP Galaxies:
- producer Kaspersky
- target-information=“Hong Kong”
- target-information=“Jordan”
- target-information=“Lebanon”
- target-information=“Malaysia”
- target-information=“United Arab Emirates”
- malpedia=“AsyncRAT”
- mitre-attack-pattern=[‘T1113’, ‘T1204.002’, ‘T1115’, ‘T1071’, ‘T1005’, ‘T1140’, ‘T1036’, ‘T1055’, ‘T1003.001’, ‘T1059’, ‘T1083’, ‘T1074’, ‘T1547.001’, ‘T1027’, ‘T1573’, ‘T1056’, ‘T1132’, ‘T1105’, ‘T1021.001’]
MISP event uuid: 2c0e6dda-fc2d-459a-a095-3e79ab62e4b4
Indicator of Compromise (IoCs)
type,value,comment
ip-dst, 154.91.183.174, 'GodRAT C2'
md5, 084caf4df499141d404b7199aa2c2131, 'No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 17e71cd415272a6469386f95366d3b64, 'Async RAT No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 2750d4d40902d123a80d24f0d0acc454, 'No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 31385291c01bb25d635d098f91708905, 'Chrome Password Stealer No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 318f5bf9894ac424fd4faf4ba857155e, 'GodRAT Shellcode Injector No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 4ecd2cf02bdf19cdbc5507e85a32c657, 'Async RAT No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 512778f0de31fcce281d87f00affa4a8, 'GodRAT Shellcode Injector No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 58f54b88f2009864db7e7a5d1610d27d, 'GodRAT Shellcode Injector No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 605f25606bb925d61ccc47f0150db674, 'Async RAT Injector (n) No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 64dfcdd8f511f4c71d19f5a58139f2c0, 'GodRAT FileManager Plugin(n) No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 6c12ec3795b082ec8d5e294e6a5d6d01, 'No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 6cad01ca86e8cd5339ff1e8fff4c8558, 'GodRAT Shellcode Injector No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, 8008375eec7550d6d8e0eaf24389cf81, 'GodRAT No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, a6352b2c4a3e00de9e84295c8d505dad, 'No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, cdd5c08b43238c47087a5d914d61c943, 'MSEdge Password Stealer No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, cf7100bbb5ceb587f04a1f42939e24ab, 'No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, d09fd377d8566b9d7a5880649a0192b4, 'GodRAT Shellcode Injector No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, e055aa2b77890647bdf5878b534fba2c, 'No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, e723258b75fee6fbd8095f0a2ae7e53c, 'GodRAT Self Extracting Executable No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
md5, eb8d53f9276d67afafb393a5b16e7c61, 'No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025'
ip-dst, 118.107.46.174, 'GodRAT С2'
ip-dst, 118.99.3.33, 'GodRAT С2'
ip-dst, 156.241.134.49, 'AsyncRAT C2'
domain, wuwu6.cfd, 'AsyncRAT C2'
ip-dst, 103.237.92.191, 'GodRAT C2'
url, https://holoohg.oss-cn-hongkong.aliyuncs.com/HG.txt, 'URL containing AsyncRAT C2 address bytes'
ip-dst, 47.238.124.68, 'AsyncRAT C2'
Full IOCs available in Rectifyq's MISP```