A newly identified Remote Access Trojan named GodRAT, based on the Gh0st RAT codebase, has been targeting financial firms since September 2024. The attackers distribute malicious .scr files via Skype, using steganography to embed shellcode in images. GodRAT supports plugins and is used alongside browser password stealers and AsyncRAT. The campaign, likely an evolution of the AwesomePuppet RAT connected to Winnti APT, remains active as of August 2025. Targets include organizations in Hong Kong, United Arab Emirates, Lebanon, Malaysia, and Jordan. The attackers employ various techniques to evade detection and maintain persistent access to compromised systems.