- Criminals found using Skype to deliver images that hide malware
- Victims were mostly SMBs in the Middle East
- Malware is new but appears to have distant relatives
Cyber criminals have been found using Skype Messenger to deliver remote access Trojan’s (rat) malware, compromising the victim’s computers and open the doors to devastating stage-two attacks.
CyberSecurity scientists at Kaspersky recently revealed a previous unseen malware -variant called goodrat, which was distributed via malicious daunting saver files, disguised as financial documents.
Unusually, Miscreants supplied malware to their victims via Skype Messenger until March 2025, when they were about other channels.
Goodrat Malware spreads
First, the hackers divided fake financial data into an image file. By using steganography, they would hide the shellcode in the files that, when enabled, download goodrat malware from a third-party server.
RATHEMARY -The details of the operating system, local host name, malware -process name and process -ID, the user account associated with the malware process, installed antivirus software and the presence of a capture driver.
Then Godrat can receive additional plugins, depending on the original information shared with attackers. These plugins can be file explorers or password stealers.
In some cases, Crooks used Godrat to insert asyncrat, a secondary implant that gave them long -lasting, if not permanent, access.
“Goodrat seems to be a development of the Awsome Puppet, which was reported by Kaspersky in 2023 and is probably linked to Winnti Apt. Its distribution methods, rare command line parameters, code similarities to gh0st steering Kasperskey.
“The discovery of goodrat demonstrates how such long known tools can remain relevant in today’s cyber security landscape,”
Kaspersky did not discuss the number of victims or potential success rate for the campaign, but it emphasized that the victims were mostly small and medium -sized businesses (SMB) in UAE, Hong Kong, Jordan and Lebanon.
