The “Godot Virus” GodLoader

Security research firm Checkpoint Research just released a terrifying article about a new undetectable malware loader spread using the Godot game engine called GodLoader. While technically true, it is nowhere near as scary as it initially sounds. What is perhaps the most interesting takeaway is that existing anti-virus software do not detect this particular attack vector.

The Godot Foundation have issued a statement on the GodLoader discovery and should set most minds at ease:

Security researchers at Check Point Research have published a report about GodLoader, a malware loader using Godot as its runtime to execute malicious code and infect unaware users with known malware. Based on the report, affected users thought they were downloading and executing cracks for paid software, but instead executed the malware loader.

As the report states, the vulnerability is not specific to Godot. The Godot Engine is a programming system with a scripting language. It is akin to, for instance, the Python and Ruby runtimes. It is possible to write malicious programs in any programming language. We do not believe that Godot is particularly more or less suited to do so than other such programs.

Users who merely have a Godot game or editor installed on their system are not specifically at risk. We encourage people to only execute software from trusted sources – whether it’s written using Godot or any other programming system.

For some more technical details:

Godot does not register a file handler for .pck files. This means that a malicious actor always has to ship the Godot runtime (.exe file) together with a .pck file. The user will always have to unpack the runtime together with the .pck to the same location and then execute the runtime. There is no way for a malicious actor to create a “one click exploit”, barring other OS-level vulnerabilities. If such an OS-level vulnerability were used then Godot would not be a particularly attractive option due to the size of the runtime.

This is similar to writing malicious software in Python or Ruby, the malicious actor will have to ship a python.exe or ruby.exe together with their malicious program.

Key Links

Checkpoint Research Article

Godot Statement

In the end Godot is no different than any other tool or programming language that can run system level code, be sure you trust the code you are running before you run it! You can learn more about the Godot engine “virus” GodLoader in the video below. While not a big deal, it is important to realize and possibly remind people that Godot could be (and is) being used as an attack vector for spreading malware.

Scroll to Top