WebRAT malware is actively being distributed through malicious GitHub repositories that masquerade as proof-of-concept (PoC) exploits for recently disclosed vulnerabilities. This campaign highlights a growing trend in which threat actors weaponize public vulnerability disclosures and developer trust in open-source platforms to deliver sophisticated backdoors.
Initially observed spreading via pirated software and game cheats for popular titles such as Roblox, Counter-Strike, and Rust, WebRAT is a fully featured remote access trojan with extensive information-stealing capabilities. The malware first emerged earlier this year and has since evolved its distribution strategy to target security researchers, developers, and technically inclined users searching for exploit code.
According to analysis published by Solar 4RAYS in May, WebRAT is capable of harvesting credentials from Steam, Discord, and Telegram accounts, exfiltrating cryptocurrency wallet data, capturing screenshots, and covertly activating webcams for surveillance. These capabilities make WebRAT particularly valuable for both financial fraud and long-term espionage.
Since at least September, the operators behind WebRAT have shifted to distributing the malware via carefully crafted GitHub repositories that claim to host exploits for high-profile vulnerabilities that have received media attention. The lures reference legitimate CVEs to increase credibility, including:
CVE-2025-59295, a heap-based buffer overflow in the Windows MSHTML (Internet Explorer) component that allows arbitrary code execution through specially crafted network data.
CVE-2025-10294, a critical authentication bypass in the OwnID Passwordless Login plugin for WordPress, where improper validation of a shared secret allows unauthenticated attackers to log in as arbitrary users, including administrators.
CVE-2025-59230, an elevation-of-privilege vulnerability in the Windows Remote Access Connection Manager (RasMan) service, which enables a locally authenticated attacker to escalate privileges to SYSTEM due to flawed access control.
Researchers at Kaspersky identified at least 15 GitHub repositories distributing WebRAT under the guise of exploit code. Each repository contained structured descriptions of the vulnerability, explanations of the alleged exploit behavior, and references to mitigations. Based on linguistic patterns and formatting consistency, Kaspersky assesses that much of this content was likely generated using an artificial intelligence model, further underscoring how generative AI is being abused to scale social engineering efforts.
From a technical perspective, WebRAT employs multiple persistence mechanisms to maintain long-term access to compromised systems. These include modifying Windows Registry run keys, creating scheduled tasks, and copying itself into randomly selected system directories to evade detection and manual removal.
The fake exploits are typically delivered as password-protected ZIP archives designed to bypass basic security scanning. The archive contents include an empty file whose filename reveals the password, a corrupted decoy DLL to appear legitimate, a batch script used in the execution chain, and a malicious dropper executable named rasmanesc.exe. Once executed, the dropper attempts privilege escalation, disables Windows Defender, and downloads the WebRAT payload from a hardcoded remote URL before executing it on the system.
Kaspersky notes that the WebRAT variant deployed in this campaign is functionally consistent with previously documented samples, offering the same command-and-control features and data theft capabilities observed in earlier operations. This suggests a focus on improving delivery and social engineering rather than introducing new malware functionality.
Abusing fake exploit repositories on GitHub is a well-established tactic and has been documented extensively in prior threat campaigns. More recently, similar techniques were used to promote a counterfeit “LDAPNightmare” exploit to distribute infostealing malware. While all identified WebRAT-related repositories have been removed, attackers can easily reappear under new publisher names.
For developers, penetration testers, and security researchers, this campaign reinforces a critical best practice: never execute exploit code from untrusted or unverified sources on production systems. Any testing of PoCs or third-party code should be conducted exclusively in isolated, controlled environments such as sandboxes or dedicated virtual machines, with full monitoring and no access to sensitive credentials or networks.