Security professionals hunting PoCs and exploit code on GitHub might soon walk into a trap, as attackers redirect a known RAT toward them.
Researchers have uncovered a stealthy campaign in which the Webrat Trojan, known for months to hide inside game cheats and cracked software, is now posing as proof-of-concept exploit repositories on GitHub to trick unsuspecting security researchers.
The clever decoy and the unexpected target set the campaign apart from typical malware distribution attacks.
Kaspersky’s security analysts spotted this evolution where attackers uploaded seemingly legitimate vulnerability exploit code, complete with structured documentation, only to lure targets into downloading a backdoor.
From Game cheats to GitHub exploits
Webrat isn’t new. It has a history of hiding in plain sight under familiar lures like game cheat packages (including Rust, Counter-Strike, and Roblox) and cracked software installers. But in the latest campaign, dating back to at least as far as September 2025, attackers started to change their approach by hosting repositories on GitHub that appear to offer exploit code for high-profile vulnerabilities with high CVSSv3 scores.
The vulnerabilities they pushed exploits for included a critical heap-based buffer overflow in Internet Explorer (CVE-2025-59295/ CVSS 8.8), a max severity authentication bypass in a WordPress plugin (CVE-2025-10294/ CVSS 9.8), and an improper access control in Windows Remote Access Connection Manager (CVE-2025-59230/ CVSS 7.8).
Apart from dumping the exploit code, the repositories included detailed sections with overviews of the vulnerability, system impact, install guides, usage steps, and even mitigation advice. The consistency of the format to a professional PoC writeup suggests the descriptions are machine-generated to avoid detection by seasoned professionals, Kaspersky researchers noted in a blog post.
The malicious payload and behavior
Beneath the polished README, the attackers dumped a password-protected ZIP linked in the repository. The archive password was hidden in file names, something easily missable by unsuspecting eyes. Inside, the key components include a decoy DLL, a batch file to launch the malware, and the primary executable (like rasmanesc.exe) capable of escalating privileges, disabling Windows Defender, and retrieving the real Webrat payload from hardcoded command-and-control (c2) servers.
Once executed, Webrat installs a backdoor on the host system. The backdoor can exfiltrate credentials, access cryptocurrency wallets, spy through webcams and microphones, log keystrokes, and steal data from messaging apps like Telegram, Discord, and gaming platforms such as Steam.
The capabilities amount to a full-blown surveillance and theft platform under the attacker’s control.
Significance of the shift
Researchers found the shift from tricking casual users with game cheats to targeting tech professionals with exploit code as notable as well as concerning. “They are targeting researchers who frequently rely on open sources to find and analyze code related to new vulnerabilities,” they said.
However, experienced security researchers typically analyze such exploits within isolated environments like virtual machines or sandboxes, minimizing risk. Which is perhaps why the campaign is seen as deliberately tuned to target novices, including students, junior analysts, and those eager to explore PoCs without safe handling practices.
“Cybersecurity professionals, especially inexperienced researchers and students, must remain vigilant when handling exploits and any potentially malicious files,” the researchers advised. “To prevent potential damage to work and personal devices containing sensitive information, we recommend analyzing these exploits and files within isolated environments like virtual machines or sandboxes.” The disclosure noted that Webrat itself hasn’t undergone any significant technical changes. Instead, attackers have reframed the risk by turning open-source curiosity into an attack surface.
No Responses