This is the Trojan that affects small and medium-sized businesses: it hides inside supposed financial files.
Kaspersky researchers have identified a new remote access Trojan (RAT) that has become a significant threat to small and medium-sized businesses (SMEs) in several countries. The malware, dubbed GodRAT , was detected in mid-2024 and was distributed primarily via malicious screensaver files presented as financial documents and sent via Skype until March 2025, when its operators began using other channels to expand the campaign.
According to the experts' analysis, SMEs in the United Arab Emirates, Hong Kong, Jordan, and Lebanon were among the main targets. The distribution method involved hiding the malware inside image files that appeared to display financial data. Once the victim opened them, the system connected to a remote server to download GodRAT and begin the information gathering process.
The malware was sent via Skype. Photo: iStock/Skype/Teams
GodRAT is designed to obtain basic data from the compromised device, such as the operating system, computer name, user account, installed software , and the presence of active security programs . It also supports additional plugins, expanding its capabilities.
One of the most commonly used add-ons by attackers is FileManager, which allows them to explore files and directories on the infected system. Added to this is the use of specialized tools to extract passwords saved in browsers such as Google Chrome and Microsoft Edge, which increases the risk of sensitive data being leaked.
To ensure persistence on compromised systems, the campaign operators also rely on AsyncRAT, a secondary implant that acts as a backup in case GodRAT is removed or detected.
An heir to old threats According to Lisandro Ubiedo, Senior Security Analyst for Kaspersky's Global Research and Analysis Team for Latin America, GodRAT could be an evolution of AwesomePuppet, another RAT reported in 2023 and linked to the advanced persistent threat (APT) group known as Winnti.
Malicious apps are becoming increasingly difficult to identify. Photo: iStock
“Their distribution methods, distinctive command-line switches, code similarities with Gh0st RAT, and shared artifacts—such as a distinctive digital signature—suggest a common origin. Despite being nearly two decades old, the codebases of legacy implants like Gh0st RAT remain actively used by threat actors, who frequently customize and rebuild them to target a wide variety of victims,” Ubiedo explained.
This finding demonstrates how tools known for nearly two decades still pose a real risk to organizations of all sizes, especially as attackers update their functionality and improve their stealth techniques.
Safety recommendations Faced with this situation, Kaspersky specialists shared a series of measures to reduce the risk of infection and protect both individual users and businesses:
- Regularly update your operating system , browser, antivirus, and other software. Many malicious campaigns exploit vulnerabilities in outdated software versions.
- Enable the "Show file extensions" option in Windows, which makes it easier to identify suspicious files. Trojans often hide behind extensions such as ".exe," ".vbs," and ".scr." In some cases, attackers combine multiple extensions to disguise a dangerous file (e.g., document.pdf.scr).
To protect themselves from malware, companies should use advanced security solutions. Photo: iStock
- Be cautious with attachments received via email or messaging apps, especially if they are presented as financial documents or images that need to be opened in external programs.
- For organizations, use advanced security solutions.
SMEs are often one of the sectors most affected by this type of attack because, in many cases, they lack robust cybersecurity areas or strict update policies. This situation makes them an attractive target for cybercriminals, who seek to access sensitive information or maintain remote control of their systems for subsequent criminal activities.
The discovery of GodRAT demonstrates that digital threats continue to evolve and that, even if they are based on old code, they can be updated to remain effective. In this context, risk awareness and investment in technological protection become essential to prevent campaigns like this from being successful.
eltiempo
