Trojan Horse Malware Targets Financial Institutions through Skype Attacks

New GodRAT Malware Targets Middle East Businesses Through Deceptive Financial Documents

Cybersecurity researchers have uncovered a sophisticated new remote access trojan called GodRAT that has been targeting small and medium-sized enterprises across the Middle East and Asia through disguised financial documents distributed via Skype. The malware, discovered by Kaspersky's Global Research and Analysis Team, represents an evolution of existing attack tools and highlights the persistent threat facing businesses in emerging markets with potentially weaker cybersecurity defenses.

How the Attack Campaign Unfolded

The GodRAT campaign demonstrates a methodical approach to corporate espionage. Attackers initially distributed the malware through Skype until March 2025, before shifting to alternative communication channels—a tactical pivot that suggests the operation was actively monitored and adjusted by its operators.

The malware disguises itself as screensaver files containing what appear to be legitimate financial documents, exploiting the trust businesses place in financial communications. This social engineering technique has proven particularly effective against smaller companies that may lack dedicated IT security teams to scrutinize suspicious attachments.

Geographic Targeting Reveals Strategic Focus

The campaign's geographic scope—spanning the UAE, Hong Kong, Jordan, and Lebanon—points to a deliberate focus on Middle Eastern financial hubs and regional business centers. This targeting pattern suggests the attackers may be seeking access to regional trade networks, financial information, or business intelligence rather than conducting random attacks.

Technical Evolution of an Old Threat

According to Kaspersky security researcher Sourabh Sharma, GodRAT appears to be an advanced iteration of AwesomePuppet malware, first identified in 2023 and potentially linked to the notorious Winnti APT group. The malware shares DNA with Gh0st RAT, a remote access tool that has been circulating in various forms for nearly two decades.

This lineage reveals a troubling trend in cybercrime: rather than developing entirely new malware, threat actors continue to refine and repurpose existing code bases. The persistence of Gh0st RAT variants demonstrates how effective malware frameworks can remain viable for years, constantly adapted to evade detection and target new victim categories.

Implications for Regional Cybersecurity

SME Vulnerability Gap

The focus on small and medium-sized enterprises highlights a critical vulnerability in regional cybersecurity ecosystems. While large corporations and government entities typically invest heavily in advanced threat detection, SMEs often operate with limited security budgets and expertise, making them attractive targets for sustained espionage campaigns.

Regional Business Intelligence Threat

The targeting of Middle Eastern business centers coincides with the region's growing importance in global trade and finance. As countries like the UAE position themselves as international business hubs, the commercial intelligence flowing through regional SMEs becomes increasingly valuable to state-sponsored and criminal actors alike.

This campaign mirrors similar targeting patterns observed in Southeast Asia, where APT groups have systematically compromised smaller businesses to gain insights into larger economic networks and supply chains.

Defense and Detection Challenges

The GodRAT discovery underscores the ongoing challenge of defending against evolutionary malware. The fact that the malware was identified through source code analysis after being uploaded to a scanning tool in July 2024 suggests it may have operated undetected for an extended period.

For businesses in the targeted regions, this incident serves as a reminder that cybersecurity threats are not limited to large enterprises. The professional execution of this campaign—from its social engineering tactics to its geographic targeting—demonstrates that even smaller businesses can find themselves in the crosshairs of sophisticated threat actors with strategic objectives.

The persistence of decades-old malware families like Gh0st RAT also highlights the importance of comprehensive threat intelligence that can identify evolutionary patterns across malware generations, rather than treating each variant as an isolated threat.