Checkpoint recently uncovered a malicious operation called Godloader, written in GDSCRIPT language and executed using the open game engine Godot. By writing the code in GDSCRIPT, cybercriminals were able to disguise their malicious programs as game mods and resources in PCK format, commonly used in games processed by the Godot engine. This method allowed them to target users across various operating systems including Windows, MacOS, Linux, Android, and iOS.
Since GDSCRIPT programs require the GODOT engine to run, the attackers primarily aimed at users of games on this engine. The earliest instances of this new malware emerged on June 29th. Over 17,000 systems were affected by Godloader, typically through downloading unverified PCK archives from third-party sources and fake repositories on GitHub containing Godloader. Once the GDSCRIPT containing the Godloader script was executed, additional harmful components were launched, engaging in actions like cryptocurrency mining and stealing saved passwords and access keys from the system.