Cybercriminals are using fake GitHub repositories to distribute WebRAT, a backdoor and information stealer, by posing as security researchers sharing proof-of-concept exploits for major vulnerabilities.
From Gaming Cheats to Fake Exploits
WebRAT first appeared early this year, originally targeting users through pirated software and video game cheats for titles like Roblox and Counter-Strike. However, since September, the
malware's operators have shifted their strategy to target developers and security professionals.
They create professional looking repositories that claim to provide exploits for critical bugs, including:
- CVE-2025-59295: A buffer overflow in Windows MSHTML.
- CVE-2025-10294: An authentication bypass in a WordPress login plugin.
- CVE-2025-59230: A privilege escalation flaw in the Windows Remote Access Connection Manager.
Deceptive Tactics and AI Content
Kaspersky researchers discovered 15 such repositories where the descriptions and mitigation advice appeared to be generated by AI to enhance credibility. The "exploit" is typically delivered as a password protected ZIP file. Once the victim runs the included dropper, it elevates its own privileges, disables Windows Defender, and installs the WebRAT payload.
The malware maintains a wide range of invasive capabilities, including:
- Stealing credentials for Steam, Discord, and Telegram.
- Harvesting cryptocurrency wallet data.
- Capturing screenshots and spying through webcams.
- Establishing persistence through Windows Registry modifications and Task Scheduler.
Staying Safe
While the specific repositories identified in this campaign have been removed, researchers warn that this tactic is common and likely to recur under new names. Security enthusiasts and developers are urged to verify sources carefully and always test untrusted code or exploits within isolated, controlled environments to prevent system compromise.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
