Hackers have used the popular open-source Godot game engine to spread malware, infecting over 17,000 systems since June. The malware campaign, GodLoader, targets users across multiple platforms, including Windows, macOS, and Linux. The attacks use Godot’s GDScript to run harmful commands, which makes it hard for antivirus programs to detect.
How the Malware Spreads
The malware is spread through GitHub repositories disguised as legitimate tools. Check Point Research attributed these attacks to a threat actor known as Stargazer Goblin, using over 200 repositories and 225 fake accounts to spread the malware.
“The Godot Engine’s flexibility has made it a target for cybercriminals, enabling stealthy, cross-platform malware like GodLoader to spread rapidly by exploiting trust in open-source platforms.” Eli Smadja, security research group manager at Check Point Software Technologies, told The Hacker News.
The malware campaign began on June 29 and gained momentum throughout September and October. The attackers primarily targeted developers, gamers, and general users who use Godot-developed games or software. The attacks occurred in four separate waves between September 12 and October 3. Infected files were hosted on seemingly trending GitHub repositories to boost their legitimacy.
The malware takes advantage of Godot’s pack (.pck) files—which are commonly used to bundle game assets—to embed harmful GDScript code. When loaded, these scripts execute commands that download and install other malware. This includes malware like the RedLine information stealer and XMRig cryptocurrency miner. The attackers used private Pastebin files to store configuration data, which were visited over 200,000 times.
Open-Source Software Risks
Godot’s multi-platform capability allows the malware to adapt to multiple operating systems. Godot’s open-source nature also makes it appealing, as its code can be modified without license issues. With over 2,700 developers and 80,000 followers, Godot’s popularity has become an attractive vehicle. However, the Godot Security Team said the issue is not the engine but the misuse of its open features.
“We encourage people to only execute software from trusted sources—whether it’s written using Godot or any other programming system,” said Rémi Verschelde, Godot Engine maintainer. The engine’s security team warns its users to download the engine, or any other software, only from verified sources.
“If you downloaded a Godot game or the editor from a reliable source, you don’t have to do anything. You are not at risk,” Verschelde stated.
The GodLoader campaign shows how easy it is for threat actors to abuse trusted open-source platforms. It also highlights the need for proactive security measures to prevent such attacks in the future. As Eli Smadja noted, “This is a wake-up call for the industry to prioritize proactive, cross-platform cybersecurity measures to stay ahead of this alarming trend.”
Moving forward, the Godot community and other developers must be vigilant in scrutinizing where they obtain software and ensure they are implementing robust security practices. GodLoader is a reminder of the risks of open-source platforms and the need to prioritize cybersecurity.