Webrat Malware Distributed via Fake Exploit PoCs on GitHub
A new malware family named Webrat has been distributed through GitHub repositories, masquerading as proof-of-concept (PoC) exploits for high-profile vulnerabilities. The campaign, uncovered in late 2025, initially targeted gamers and users seeking cheats or cracked software, but later expanded to include inexperienced information security professionals and students. Attackers crafted repositories with detailed, AI-generated descriptions of vulnerabilities, including guides and mitigation steps, to build credibility and lure victims into downloading malicious files.
The malware is delivered as a password-protected archive containing an executable that escalates privileges, disables Windows Defender, and downloads the Webrat payload from a hardcoded URL. Once installed, Webrat can steal credentials from Telegram, Discord, Steam, and cryptocurrency wallets, log keystrokes, record screens, access webcams and microphones, and provide remote access to attackers. The campaign leverages vulnerabilities with high CVSSv3 scores, such as those in Internet Explorer, WordPress plugins, Windows services, and Tenda routers, to attract victims searching for exploit code.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly disclose WebRAT's GitHub lure campaign
On December 23, 2025, public reports detailed that WebRAT was being spread through fake GitHub exploit repositories instead of only through gaming and piracy-themed lures. The disclosure emphasized that the malware's functionality was largely unchanged, but the social-engineering tactic had evolved to target the cybersecurity community.
Malicious GitHub repositories are removed
By the time public reporting appeared, the fake GitHub repositories used in the campaign had been taken down. Researchers warned that the threat remained because attackers could quickly create replacement repositories and continue using the same lure.
At least 15 malicious GitHub repositories identified
Researchers identified 15 GitHub repositories posing as exploit code for recently disclosed vulnerabilities, including examples tied to multiple 2025 CVEs. The repositories were part of the same social-engineering operation distributing WebRAT rather than legitimate proof-of-concept code.
Kaspersky discovers the fake exploit campaign
Kaspersky researchers discovered the GitHub-based WebRAT campaign about a month after it began, indicating detection around October 2025. Their analysis found repositories using AI-generated-looking writeups, password-protected ZIP archives, and loaders that disabled Defender, escalated privileges, and fetched WebRAT from hardcoded infrastructure.
Attackers begin GitHub fake-PoC WebRAT campaign
By at least September 2025, WebRAT operators expanded distribution to GitHub repositories masquerading as proof-of-concept exploits for high-profile CVEs. The campaign targeted inexperienced security researchers, students, and aspiring hackers likely to run untrusted exploit code on their own Windows systems.
WebRAT observed spreading via game cheats and cracked software
WebRAT was seen in the wild by January 2025, distributed through game cheats, pirated software, patches, and similar lures rather than fake exploit repositories. Reports describe it as an established backdoor and infostealer before the later GitHub-focused campaign.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
“Webrat” Trap: Hackers Lure Junior Security Researchers with Fake GitHub Exploits
securityonline.info
Open sourceWebRAT Malware via GitHub Repositories Claim as Proof-of-concept Exploits to Attack Users
cybersecuritynews.com
Open sourceWebrat turns GitHub PoCs into a malware trap
csoonline.com
Open sourceWebrat, disguised as exploits, is spreading via GitHub repositories | Securelist
securelist.com
Open sourceBudding infosec pros and aspiring cyber crooks targeted with fake PoC exploits
helpnetsecurity.com
Open sourceWebRAT malware spread via fake vulnerability exploits on GitHub
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PyStoreRAT Malware Distributed via Fake GitHub OSINT and Utility Repositories
A sophisticated malware campaign has been uncovered in which threat actors use GitHub to distribute a new Remote Access Trojan (RAT) called PyStoreRAT. The attackers reactivated dormant GitHub accounts or created new ones to publish repositories masquerading as legitimate OSINT tools, DeFi bots, and AI chat wrappers. These repositories, often promoted on social media and artificially boosted in popularity, were designed to appeal to IT administrators, cybersecurity professionals, and open-source intelligence researchers. Once the repositories gained trust and visibility, the attackers introduced malicious code through subtle 'maintenance' updates, enabling the silent deployment of PyStoreRAT. PyStoreRAT is a modular, multi-stage malware capable of executing a variety of payloads, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. It profiles victim systems and can deploy additional threats such as the Rhadamanthys information stealer and Python Loader. Many of the fake tools hosted on GitHub were non-functional or provided only minimal placeholder features, serving primarily as a delivery mechanism for the malware. The campaign demonstrates a calculated abuse of GitHub's trust model and highlights the risks of downloading and executing code from seemingly reputable open-source repositories.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
GitHub Gaming Cheat Projects Used to Deliver AsyncRAT and VileRAT Malware
Security researchers and sandbox telemetry identified malware campaigns abusing GitHub-hosted gaming cheat projects to distribute remote access trojans, including **AsyncRAT** and **VileRAT**. One analyzed sample was delivered from a GitHub raw URL and disguised as an *Escape from Tarkov* cheat-related `.scr` file, using a gaming-themed lure to entice users seeking cheats, DLL injectors, or other unauthorized tools. ANY.RUN classified the sample as malicious and linked it to **AsyncRAT**, a trojan that can provide remote control, keystroke capture, webcam access, and data theft from infected Windows systems. Additional reporting warned that attackers were packaging malware inside purported open-source game cheat repositories and injector utilities on GitHub, broadening the campaign beyond a single title or payload. Technical analysis tied related activity to **VileRAT**, indicating that threat actors are using trusted developer platforms and cheat-seeking communities as an infection channel for commodity and custom RAT malware. Reported indicators for the AsyncRAT sample included `SHA1 3065DA0D35988807C34C98164D35385F846AB1DF` and `SHA256 84C8AD42D82A82951A1968C738FC813A83FC5CD6F1C2F446F2960CF21A373E14`.
Nov 14, 2023