Security researchers at Kaspersky discovered that hackers used Skype to distribute a Remote Access Trojan known as GodRAT. Initially spread via malicious screensaver files disguised as financial documents, the malware employed steganography to conceal shellcode inside image files, which then downloaded GodRAT from a remote server.
Once activated, GodRAT collected detailed system information, including OS specs, antivirus presence, user account data and more. The trojan could also download additional plugins such as file explorers and password stealers. In some cases, it deployed a second malware, AsyncRAT, granting attackers prolonged access.
GodRAT appears to be an evolution of previous tools, such as AwesomePuppet, and shares artifacts with Gh0st RAT, suggesting a link to the Winnti APT group. While Kaspersky did not disclose the number of victims, the campaign primarily targeted small and medium-sized businesses in the UAE, Hong Kong, Jordan, and Lebanon. Cybercrime using Skype as a vector reportedly ceased around March 2025 as criminals shifted to other distribution channels.
