top of page
perceptive_background_267k.jpg

WebRAT malware spread via fake vulnerability exploits on GitHub

Published:

23 December 2025 at 19:31:53

Alert date:

23 December 2025 at 20:02:44

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Web Technologies, Supply Chain & Dependencies

WebRAT malware is being distributed through malicious GitHub repositories that masquerade as proof-of-concept exploits for recently disclosed vulnerabilities. Attackers are leveraging the trusted nature of GitHub and the interest in new vulnerability exploits to trick security researchers and developers into downloading and executing malicious code. This distribution method represents a supply chain attack targeting the cybersecurity community. The campaign exploits the common practice of researchers seeking POC code for newly disclosed vulnerabilities. This technique allows the malware to reach a technical audience that might otherwise be cautious about malicious downloads.

Technical details

WebRAT is a backdoor with info-stealing capabilities that can steal credentials for Steam, Discord, and Telegram accounts, as well as cryptocurrency wallet data. It can spy on victims through webcams and capture screenshots. The malware establishes persistence through Windows Registry modifications, Task Scheduler, and injecting itself into random system directories. The fake exploits are delivered as password-protected ZIP files containing an empty file with password as filename, corrupted decoy DLL file, batch file for execution chain, and main dropper named rasmanesc.exe. The dropper elevates privileges, disables Windows Defender, then downloads and executes WebRAT from hardcoded URL.

Mitigation steps:

Be careful about sources when downloading exploits or code from potentially untrusted sources. Run exploits or code from untrusted sources in controlled, isolated environments. Avoid downloading and executing proof-of-concept exploits from GitHub repositories without proper verification. All malicious GitHub repositories related to the WebRAT campaign have been removed, but threat actors can submit new lures under different publisher names.

Affected products:

Windows MSHTML/Internet Explorer
OwnID Passwordless Login plugin for WordPress
Windows Remote Access Connection Manager (RasMan) service
Steam
Discord
Telegram
Cryptocurrency wallets
Roblox
Counter Strike
Rust

Related links:

https://rt-solar.ru/events/news/5561/
https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2025-patch-tuesday-fixes-6-zero-days-172-flaws/
https://nvd.nist.gov/vuln/detail/CVE-2025-10294
https://www.bleepingcomputer.com/news/microsoft/new-windows-rasman-zero-day-flaw-gets-free-unofficial-patches/
https://securelist.com/webrat-distributed-via-github/118555/
https://www.bleepingcomputer.com/news/security/fake-zero-day-poc-exploits-on-github-push-windows-linux-malware/
https://www.bleepingcomputer.com/news/security/fake-windows-exploits-target-infosec-community-with-cobalt-strike/
https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/
https://www.bleepingcomputer.com/news/security/fake-winrar-proof-of-concept-exploit-drops-venomrat-malware/
https://www.bleepingcomputer.com/news/security/fake-ldapnightmware-exploit-on-github-spreads-infostealer-malware/

Related CVE's:

Related threat actors:

IOC's:

rasmanesc.exe

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page