Godzilla Loader: One of the newest kids on the malware downloader block

  • The malware was first discovered in May 2016 and was used to deliver the infamous TrickBot banking trojan.
  • Godzilla Loader targets computers running Windows operating system.

Godzilla Loader is a new generation of malware downloaders that has been steadily growing since it first emerged. The malware was first discovered in May 2016 and was used to deliver the infamous TrickBot banking trojan. Godzilla Loader targets computers running Windows operating system.

Recently, a new version of Godzilla Loader was found on Dark Web forums. The malware comes with a built-in UAC bypass, includes a full plugin ecosystem, a propagation module, a keylogger module, and a password-stealing module. Godzilla Loader’s functionalities are similar to that of the Emotet banking trojan. The malware is delivered via phishing emails.

Since it first emerged, the cybercriminals operating Godzilla Loader have continually been enhancing its capabilities. Here’s a brief look at the origin, capabilities and evolution of the malware.

A sneak peek into the origin of Godzilla Loader

Godzilla Loader is primarily used to target users’ financial information. The malware was first discovered in May 2016, delivering the infamous TrickBot trojan onto infected machines. It carries out its malicious activities on computers running Windows operating system. It takes advantage of security flaws in a computer in order to spread its malicious activities.


The functionalities of Godzilla Loader include:

  • Collecting your confidential data such as bank account detail, browsing history, credit card password and other sensitive information.
  • Modifying the crucial system settings in order to make the computer slow;
  • Generating a bulk of junk data in a hard drive.

Modus Operandi

When the Godzilla Loader is dropped onto a victim’s system, it automatically connects with the Command and Control servers to receive commands and send back the collected financial and other sensitive information. It also uses PC resources, eventually slowing down the performance of a machine.

After infection, the malware starts displaying a number of ads and pop-ups which adversely affects the normal operation of a PC. It corrupts the entire default browser setting on the infected computer and can run on any kind of browsers like Chrome, Mozilla Firefox, Google Chrome and more. The malware could crash the machine if it remains undetected for a long time. There are several other malicious activities of GodzillaLoader, like its ability to install Keyloggers, Trojan, and other viruses.


The latest version of Godzilla was in development since December 2017. It uses RSA-2048 to verify the identity of the Communication & Control server.

“In the event of a DNS-level takeover of the C&C domain, the malicious operation will be down but the domain’s new owner will not be able to issue new commands,” highlight CheckPoint researchers on the latest variant.

The malware author has enhanced the security layer for safe C2 communication. The latest version has got more control flow to fully rely on the Component Object Model (COM) interfaces.

“In the feature list, the author boasts of a double-layered fail-safe for C&C communication. First, if communication with the server is not successful, the malware defaults to its DGA implementation; then, if that’s not successful, either, it checks Twitter for a specific hashtag (which is pseudo-randomly generated depending on the day, similarly to the DGA). The campaign controller can announce new C&C sites by generating the hashtag themselves and tweeting the new C&C domain with this hashtag,” added the researchers.

The adoption rate of Godzilla is still under control given the popularity of malicious downloaders.

“Like mobile phone models and programming languages, we expect the popularity of malicious downloaders to follow a Pareto distribution where a few actors dominate most of the market, and the rest is occupied by an ocean of small niche actors,” researchers said.