Even 1.2 million gamers could be at risk due to cybercriminals exploiting scripts of open-source gaming engines – warn cybersecurity analysts from Check Point Research. More than 17 thousand devices have already been infected. The hacking activity may lead to serious data leaks and further ransomware attacks.
Latest research by Check Point Research has revealed a new, worrisome trend, with hackers exploiting game engines – particularly their scripts. The popular open source engine Godot Engine was attacked by cybercriminals who used “GodLoader” scripts to carry out data theft and launch ransomware. These operations have already infected more than 17,000 devices, questioning the safety of 1.2 million users of games based on Godot.
How do cybercriminals use Godot Engine?
The Godot Engine is an open-source game creation platform, valued for its flexibility and rich set of tools. It supports various export formats, allowing creators to reach platforms such as Windows, macOS, Linux, Android, iOS or HTML5. Thanks to its user-friendly interface and GDScript language, similar to Python, Godot attracts both beginner and advanced developers. Unfortunately, this popularity has become a target for cybercriminals.
The attack involves exploiting the functionality of Godot scripts. The malicious software, named GodLoader, remains undetectable by most traditional antivirus solutions. The built-in .pck file loading function allows the malicious code to be executed using a GDScript script. This gives attackers broad possibilities, from downloading additional malicious software to remotely executing commands.
Since June 2024, the GodLoader technique has managed to bypass detection mechanisms, infecting over 17,000 machines within three months. Additionally, due to its multi-platform capabilities, this threat also affects Android systems and other environments.
The malicious code is distributed via the Stargazers Ghost Network – an advanced ‘Distribution as a Service’ (DaaS) infrastructure. Criminals use seemingly legitimate repositories on GitHub, creating an illusion of credibility. From September to October 2024, as many as 200 repositories containing GodLoader appeared on this platform, resulting in a rapid increase in infections – reported the Check Point experts behind the discovery.
Consequences for developers and gamers
For game developers using open platforms like Godot, the risk of accidentally deploying malicious code is a real threat. On the other hand, players may unwittingly install games containing infected elements. The distribution strategy based on building trust in open-source software further increases the effectiveness of such attacks.
“The flexibility of the Godot engine makes it a target for cybercriminals, enabling rapid dissemination of malicious software, such as GodLoader, by exploiting trust in open platforms. For 1.2 million users of games created in Godot, the consequences could be serious, not only for their devices, but also for the integrity of the entire gaming ecosystem. This is a wakeup call for the industry to prioritize proactive, multi-platform cybersecurity measures to stay ahead of this troubling trend,” believes Eli Smadja, manager of research group for security at Check Point Software Technologies.
How to protect yourself?
The experts agree. Regular gamers and those installing software should avoid clicking on suspicious links, downloading files from unverified sources, and should stay updated on the latest security system updates for their devices.
GodLoader is an example of increasingly sophisticated threats in the world of cybercrime. Awareness of threats and appropriate security tools are key to counteract attacks of this type and to protect both developers and end users.
Source: https://managerplus.pl/ponad-milion-graczy-zagrozonych-popularny-silnik-gier-godot-wykorzystany-przez-cyberprzestepcow-32771
