Executive Summary

A sophisticated malware campaign leveraging the WebRAT remote access trojan has been identified propagating through fake vulnerability exploits hosted on GitHub. Threat actors are capitalizing on the cybersecurity community’s demand for proof-of-concept (PoC) code by creating repositories that purport to offer exploits for high-profile vulnerabilities, including both real and fabricated CVE identifiers. Unsuspecting users, particularly junior security researchers and students, are lured into downloading and executing malicious payloads under the guise of legitimate security research. The infection chain is engineered to bypass basic security controls, establish persistent remote access, and exfiltrate sensitive data, including credentials and cryptocurrency wallets. This advisory provides a comprehensive technical analysis of the campaign, its tactics, techniques, and procedures (TTPs), observed victimology, and actionable mitigation strategies.

Threat Actor Profile

The operators behind the WebRAT campaign remain unattributed to any known advanced persistent threat (APT) group, but their tactics indicate a financially motivated, opportunistic actor with a high degree of technical sophistication. The campaign demonstrates a nuanced understanding of the cybersecurity research ecosystem, exploiting the trust placed in open-source platforms like GitHub. The threat actors employ AI-generated repository descriptions and detailed usage instructions to enhance credibility. Their infrastructure includes multiple disposable GitHub accounts and command-and-control (C2) servers registered with Russian and Eastern European hosting providers. The campaign’s primary objective is credential theft, remote access, and monetization through the exfiltration of digital assets.

Technical Analysis of Malware/TTPs

The infection vector begins with the discovery of a GitHub repository advertising a PoC exploit for a trending or critical vulnerability, such as CVE-2025-10294, CVE-2025-59295, or CVE-2025-59230. The repository typically contains a ZIP archive, often password-protected, with the password obfuscated in a file name (e.g., pass-8511). The archive includes several files: a decoy DLL (payload.dll), a batch script (start_exp.bat), and the primary malicious executable (rasmanesc.exe).

Upon execution of the batch script, the following sequence is observed:

The script launches rasmanesc.exe, which attempts to escalate privileges using access token manipulation (MITRE ATT&CK T1134.002). The malware disables Windows Defender and other local security controls (T1562.001) to evade detection. It then establishes persistence and downloads the latest version of WebRAT from a hardcoded C2 server (T1608.001). The WebRAT payload is a modular backdoor with capabilities including keylogging (T1056.001), screen capture (T1113), audio and video surveillance (T1123, T1125), and credential harvesting from browsers, cryptocurrency wallets, and popular communication platforms such as Telegram, Discord, and Steam.

The malware communicates with its C2 infrastructure over HTTP, using domains such as ezc5510min.temp.swtest.ru and shopsleta.ru. Exfiltrated data is encrypted and transmitted in discrete intervals to avoid detection by network monitoring tools. The campaign employs multiple layers of obfuscation, including the use of packers and anti-analysis techniques, to hinder reverse engineering and automated detection.

Exploitation in the Wild

The campaign has been active since at least September 2025, with dozens of malicious repositories identified and reported on GitHub. The repositories are rapidly created and abandoned, often reappearing under new account names. The threat actors monitor cybersecurity news and social media to identify vulnerabilities that are likely to attract attention, including both legitimate and fabricated CVEs. The use of AI-generated content and detailed technical write-ups increases the likelihood of downloads by security professionals seeking to validate or test new exploits.

Victims are typically infected after downloading and executing the provided PoC code in non-isolated environments. The malware does not discriminate based on the underlying operating system or application version; its primary goal is to compromise the host and establish remote access. Several C2 servers remain active as of December 2025, indicating ongoing operations and a persistent threat to the cybersecurity community.

Victimology and Targeting

Analysis of telemetry and open-source reporting indicates that the primary victims are students, junior penetration testers, and infosec enthusiasts who frequently search for and test PoC exploits. The campaign disproportionately affects individuals in academic settings, cybersecurity training programs, and organizations with active vulnerability research teams. There is no evidence of targeted attacks against specific enterprises or government entities; rather, the campaign relies on broad dissemination and opportunistic infection. The use of popular platforms like GitHub and the exploitation of trending vulnerabilities ensure a steady stream of potential victims.

Mitigation and Countermeasures

Organizations and individuals are strongly advised to refrain from executing PoC code or exploits obtained from untrusted or unknown sources, especially those distributed via public repositories like GitHub. All suspicious files should be analyzed in isolated virtual machines or sandbox environments with no access to sensitive data, network shares, or hardware peripherals such as webcams and microphones. Security teams should monitor for the presence of known indicators of compromise, including the malicious file hashes (28a741e9fcd57bd607255d3a4690c82f, a13c3d863e8e2bd7596bac5d41581f6a, 61b1fc6ab327e6d3ff5fd3e82b430315), C2 domains (ezc5510min.temp.swtest.ru, shopsleta.ru), and detection names such as HEUR:Trojan.Python.Agent.gen and HEUR:Trojan-PSW.Win64.Agent.gen.

Endpoint protection solutions should be updated to recognize the latest WebRAT signatures and behavioral patterns. Network security controls should be configured to block outbound connections to known C2 infrastructure. Security awareness training should emphasize the risks associated with downloading and executing code from unverified sources, particularly in the context of vulnerability research. Incident response teams should be prepared to isolate and remediate infected systems, including the revocation of compromised credentials and the restoration of affected endpoints from trusted backups.

References

Securelist: From cheats to exploits: WebRAT spreading via GitHub https://securelist.com/webrat-distributed-via-github/118555/

BleepingComputer: WebRAT malware spread via fake vulnerability exploits on GitHub https://www.bleepingcomputer.com/news/security/webrat-malware-spread-via-fake-vulnerability-exploits-on-github/

HelpNetSecurity: Budding infosec pros and aspiring cyber crooks targeted with fake PoC exploits https://www.helpnetsecurity.com/2025/12/23/fake-poc-exploits-webrat-malware/

CSO Online: WebRAT turns GitHub PoCs into a malware trap https://www.csoonline.com/article/4111531/webrat-turns-github-pocs-into-a-malware-trap.html

MITRE ATT&CK Techniques https://attack.mitre.org/

NVD: CVE-2025-10294 https://nvd.nist.gov/vuln/detail/CVE-2025-10294

NVD: CVE-2025-59295 https://nvd.nist.gov/vuln/detail/CVE-2025-59295

NVD: CVE-2025-59230 https://nvd.nist.gov/vuln/detail/CVE-2025-59230

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify emerging threats and respond with confidence. For more information about our solutions or to discuss this advisory, we are happy to answer questions at ops@rescana.com.