Skype used to distribute hidden malware in small business attacks
Security experts discovered that hackers used Skype to deliver the GodRAT trojan hidden in image files, targeting small and medium businesses across multiple regions.
Security researchers at Kaspersky discovered that hackers used Skype to distribute a Remote Access Trojan known as GodRAT. Initially spread via malicious screensaver files disguised as financial documents, the malware employed steganography to conceal shellcode inside image files, which then downloaded GodRAT from a remote server.
Once activated, GodRAT collected detailed system information, including OS specs, antivirus presence, user account data and more. The trojan could also download additional plugins such as file explorers and password stealers. In some cases, it deployed a second malware, AsyncRAT, granting attackers prolonged access.
GodRAT appears to be an evolution of previous tools, such as AwesomePuppet, and shares artifacts with Gh0st RAT, suggesting a link to the Winnti APT group. While Kaspersky did not disclose the number of victims, the campaign primarily targeted small and medium-sized businesses in the UAE, Hong Kong, Jordan, and Lebanon. Cybercrime using Skype as a vector reportedly ceased around March 2025 as criminals shifted to other distribution channels.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!