WebRAT Malware Spread via Fake Vulnerability Exploits on GitHub
Summary:
WebRAT is a backdoor with information-stealing capabilities that is commonly distributed through pirate software and cheats for games like Roblox, Counter Strike, and Rust. A new campaign identified by Kaspersky highlights a shift in distribution tactics, where the malware is now being spread via GitHub repositories hosting fake proof-of-concept exploits for recently disclosed vulnerabilities. Since at least September, operators have published repositories claiming to exploit high-profile vulnerabilities such as CVE-2025-59295 (Windows MSHTM remote code execution), CVE-2025-10294 (WordPress OwnID authentication bypass), and CVE-2025-59230 (Windows RasMan privilege escalation).
The exploits are distributed as password-protected ZIP archives containing decoy files and a malicious dropper (rasmanesc[.]exe, which is capable of elevating privileges, disabling Windows Defender, and downloading/executing WebRat from a hardcoded URL. According to Kaspersky, the WebRAT variant used in the latest campaign is no different from previously documented samples. For its part, WebRAT is designed to steal credentials for Steam, Discord, and Telegram accounts, as well as cryptocurrency wallet data. The malware can also spy on victims via the webcam and capture screenshots. To ensure persistent access on compromised systems, WebRAT will modify the Windows registry, create scheduled tasks, and embed itself in system directories.
Security Officer Comments:
The use of fake exploits on GitHub to infect unsuspecting users with malware is not novel and has been extensively employed in the past.
A total of 15 repositories distributing WebRAT were identified. These repositories include detailed vulnerability descriptions, explanations of the supposed POC exploit, and mitigations. Based on the structure of the information included in the repositories, researchers assess that the content was likely AI-generated. This comes as no surprise, as actors have increasingly leveraged such technology for various operations, whether that is generating specially crafted phishing emails or code for malicious payloads.
Suggested Corrections:
While Kaspersky notes that the repositories distributing WebRAT have been taken down, this doesn’t stop adversaries from creating new ones. To safeguard against potential infections, developers and security professionals should be careful when running exploit code or proof-of-concept from GitHub repositories. In general, exploit code should be tested in isolated, sandboxed environments, regardless of where it’s coming from.
Link(s):
https://www.bleepingcomputer.com/ne...ad-via-fake-vulnerability-exploits-on-github/
WebRAT is a backdoor with information-stealing capabilities that is commonly distributed through pirate software and cheats for games like Roblox, Counter Strike, and Rust. A new campaign identified by Kaspersky highlights a shift in distribution tactics, where the malware is now being spread via GitHub repositories hosting fake proof-of-concept exploits for recently disclosed vulnerabilities. Since at least September, operators have published repositories claiming to exploit high-profile vulnerabilities such as CVE-2025-59295 (Windows MSHTM remote code execution), CVE-2025-10294 (WordPress OwnID authentication bypass), and CVE-2025-59230 (Windows RasMan privilege escalation).
The exploits are distributed as password-protected ZIP archives containing decoy files and a malicious dropper (rasmanesc[.]exe, which is capable of elevating privileges, disabling Windows Defender, and downloading/executing WebRat from a hardcoded URL. According to Kaspersky, the WebRAT variant used in the latest campaign is no different from previously documented samples. For its part, WebRAT is designed to steal credentials for Steam, Discord, and Telegram accounts, as well as cryptocurrency wallet data. The malware can also spy on victims via the webcam and capture screenshots. To ensure persistent access on compromised systems, WebRAT will modify the Windows registry, create scheduled tasks, and embed itself in system directories.
Security Officer Comments:
The use of fake exploits on GitHub to infect unsuspecting users with malware is not novel and has been extensively employed in the past.
A total of 15 repositories distributing WebRAT were identified. These repositories include detailed vulnerability descriptions, explanations of the supposed POC exploit, and mitigations. Based on the structure of the information included in the repositories, researchers assess that the content was likely AI-generated. This comes as no surprise, as actors have increasingly leveraged such technology for various operations, whether that is generating specially crafted phishing emails or code for malicious payloads.
Suggested Corrections:
While Kaspersky notes that the repositories distributing WebRAT have been taken down, this doesn’t stop adversaries from creating new ones. To safeguard against potential infections, developers and security professionals should be careful when running exploit code or proof-of-concept from GitHub repositories. In general, exploit code should be tested in isolated, sandboxed environments, regardless of where it’s coming from.
Link(s):
https://www.bleepingcomputer.com/ne...ad-via-fake-vulnerability-exploits-on-github/