Scripting abilities and vulnerabilities in open source game development platforms are now within the crosshairs of cybercriminals and Distribution-as-a-Service syndicates

Cybercriminals have begun exploiting the open-source Godot Engine, widely used for game development, to spread malware.

The game engine’s scripting capabilities have been used by attackers to deploy a loader called GodLoader to distribute malicious payloads. This new method enables cybercriminals to compromise devices across Windows, macOS, Linux, Android, and iOS platforms.

The Stargazers Ghost Network, a GitHub network that distributes malware as a service, distributes the malicious code and, in just three months, has infected over 17,000 machines. Potential attack scenarios can impact over 1.2m users’ games developed with the engine — by exploiting legitimate executables in the platform to load harmful content through mods or other downloadable content.

Understanding GodLoader

The malware loader has been undetected by most traditional antivirus tools. As a multi-platform threat, the loader has infected over 17,000 machines in just a few months since 29 June 2024.

Mechanism of Attack

  • Use of .pck Files: Tainted bundled game files contain malicious GDScript, executed through built-in callback functions when loaded.
  • Advanced Capabilities: Attackers implement anti-sandboxing and anti-virtual machine measures, ensuring malware evades detection while executing remote payloads.
  • Cross-Platform Risks: Although initial attacks focused on Windows devices, Godot’s nature makes other operating systems vulnerable.

Infection Methods

  • Distribution via GitHub: Cybercriminals use the Stargazers Ghost Network, a malware Distribution-as-a-Service framework, to disguise malware in GitHub repositories.
  • Illusion of Legitimacy: Malicious repositories are artificially boosted by Stargazer accounts, making them appear credible.
  • Target Audience: Developers and gamers were targeted across four waves between September and October 2024, leveraging the trust placed in open-source tools.

Implications for Developers and Gamers

  • Risks to Developers: Open-source reliance increases the chances of inadvertently incorporating malicious code into projects.
  • Threats to Gamers: Downloading games developed with compromised tools can lead to infection and credential theft.
  • Sophisticated Campaigns: The Stargazers Ghost Network has demonstrated advanced methods of disguising and distributing malware, amplifying its impact.

According to the analysts at Check Point Research who announced their discovery of this game engine exploit, preventive measures include keeping operating systems and applications up-to-date with security patches, avoidance of activating unexpected URLs from unknown sources, and keeping vigilant about cybersecurity risks and the latest cybersecurity news.