In this presentation, we will discuss our recent discovery of a novel malware-loading technique that leverages the Godot Engine—a popular open-source game development platform—to execute malicious commands and deliver payloads through crafted GDScript code. This method, deployed via a loader dubbed GodLoader, has remained largely undetected by antivirus solutions on VirusTotal and has infected over 17,000 machines since June 29, 2024.

The threat actor behind GodLoader has been distributing the malware through the Stargazers Ghost Network, a Distribution-as-a-Service (DaaS) network that exploits GitHub’s community features to legitimize malicious repositories. This network utilized 200 repositories and over 225 Stargazer accounts throughout September and October to mask malware as legitimate software, targeting developers, gamers, and general users.

Godot Engine is designed for 2D and 3D game development, allowing developers to export games across multiple platforms, including Windows, macOS, Linux, Android, iOS, and HTML5. This cross-platform functionality, combined with the engine’s Python-like GDScript, can enable attackers to effectively deploy malware across diverse operating systems.