{“lastseen”:”2025-12-23T08:05:12″,”description”:”\\n\\nIn early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced professionals and students in the information security field.\\n\\n## Distribution and the malicious sample\\n\\nIn October, we uncovered a campaign that had been distributing Webrat via GitHub repositories since at least September. To lure in victims, the attackers leveraged vulnerabilities frequently mentioned in security advisories and industry news. Specifically, they disguised their malware as exploits for the following vulnerabilities with high CVSSv3 scores:\\n\\n**CVE** | **CVSSv3** \\n—|— \\nCVE-2025-59295 | 8.8 \\nCVE-2025-10294 | 9.8 \\nCVE-2025-59230 | 7.8 \\n \\nThis is not the first time threat actors have tried to lure security researchers with exploits. Last year, they similarly took advantage of the high-profile RegreSSHion vulnerability, which lacked a working PoC at the time.\\n\\nIn the Webrat campaign, the attackers bait their traps with both vulnerabilities lacking a working exploit and those which already have one. To build trust, they carefully prepared the repositories, incorporating detailed vulnerability information into the descriptions. The information is presented in the form of structured sections, which include:\\n\\n * Overview with general information about the vulnerability and its potential consequences\\n * Specifications of systems susceptible to the exploit\\n * Guide for downloading and installing the exploit\\n * Guide for using the exploit\\n * Steps to mitigate the risks associated with the vulnerability\\n\\n\\n\\n\\n\\nContents of the repository\\n\\nIn all the repositories we investigated, the descriptions share a similar structure, characteristic of AI-generated vulnerability reports, and offer nearly identical risk mitigation advice, with only minor variations in wording. This strongly suggests that the text was machine-generated.\\n\\nThe Download Exploit ZIP link in the Download \\u0026 Install section leads to a password-protected archive hosted in the same repository. The password is hidden within the name of a file inside the archive.\\n\\n\\n\\nThe archive downloaded from the repository includes four files:\\n\\n 1. pass \u2013 8511: an empty file, whose name contains the password for the archive.\\n 2. payload.dll: a decoy, which is a corrupted PE file. It contains no useful information and performs no actions, serving only to divert attention from the primary malicious file.\\n 3. rasmanesc.exe (note: file names may vary): the primary malicious file (MD5 61b1fc6ab327e6d3ff5fd3e82b430315), which performs the following actions: \\n * Escalate its privileges to the administrator level (T1134.002).\\n * Disable Windows Defender (T1562.001) to avoid detection.\\n * Fetch from a hardcoded URL (ezc5510min.temp[.]swtest[.]ru in our example) a sample of the Webrat family and execute it (T1608.001).\\n 4. start_exp.bat: a file containing a single command: start rasmanesc.exe, which further increases the likelihood of the user executing the primary malicious file.\\n\\n\\n\\n\\n\\nThe execution flow and capabilities of rasmanesc.exe\\n\\nWebrat is a backdoor that allows the attackers to control the infected system. Furthermore, it can steal data from cryptocurrency wallets, Telegram, Discord and Steam accounts, while also performing spyware functions such as screen recording, surveillance via a webcam and microphone, and keylogging. The version of Webrat discovered in this campaign is no different from those documented previously.\\n\\n## Campaign objectives\\n\\nPreviously, Webrat spread alongside game cheats, software cracks, and patches for legitimate applications. In this campaign, however, the Trojan disguises itself as exploits and PoCs. This suggests that the threat actor is attempting to infect information security specialists and other users interested in this topic. It bears mentioning that any competent security professional analyzes exploits and other malware within a controlled, isolated environment, which has no access to sensitive data, physical webcams, or microphones. Furthermore, an experienced researcher would easily recognize Webrat, as it’s well-documented and the current version is no different from previous ones. Therefore, we believe the bait is aimed at students and inexperienced security professionals.\\n\\n## Conclusion\\n\\nThe threat actor behind Webrat is now disguising the backdoor not only as game cheats and cracked software, but also as exploits and PoCs. This indicates they are targeting researchers who frequently rely on open sources to find and analyze code related to new vulnerabilities.\\n\\nHowever, Webrat itself has not changed significantly from past campaigns. These attacks clearly target users who would run the \\”exploit\\” directly on their machines \u2014 bypassing basic safety protocols. This serves as a reminder that cybersecurity professionals, especially inexperienced researchers and students, must remain vigilant when handling exploits and any potentially malicious files. To prevent potential damage to work and personal devices containing sensitive information, we recommend analyzing these exploits and files within isolated environments like virtual machines or sandboxes.\\n\\nWe also recommend exercising general caution when working with code from open sources, always using reliable security solutions, and never adding software to exclusions without a justified reason.\\n\\nKaspersky solutions effectively detect this threat with the following verdicts:\\n\\n * HEUR:Trojan.Python.Agent.gen\\n * HEUR:Trojan-PSW.Win64.Agent.gen\\n * HEUR:Trojan-Banker.Win32.Agent.gen\\n * HEUR:Trojan-PSW.Win32.Coins.gen\\n * HEUR:Trojan-Downloader.Win32.Agent.gen\\n * PDM:Trojan.Win32.Generic\\n\\n\\n\\n## Indicators of compromise\\n\\n**Malicious GitHub repositories** \\nhttps:\/\/github[.]com\/RedFoxNxploits\/CVE-2025-10294-Poc \\nhttps:\/\/github[.]com\/FixingPhantom\/CVE-2025-10294 \\nhttps:\/\/github[.]com\/h4xnz\/CVE-2025-10294-POC \\nhttps:\/\/github[.]com\/usjnx72726w\/CVE-2025-59295\/tree\/main \\nhttps:\/\/github[.]com\/stalker110119\/CVE-2025-59230\/tree\/main \\nhttps:\/\/github[.]com\/moegameka\/CVE-2025-59230 \\nhttps:\/\/github[.]com\/DebugFrag\/CVE-2025-12596-Exploit \\nhttps:\/\/github[.]com\/themaxlpalfaboy\/CVE-2025-54897-LAB \\nhttps:\/\/github[.]com\/DExplo1ted\/CVE-2025-54106-POC \\nhttps:\/\/github[.]com\/h4xnz\/CVE-2025-55234-POC \\nhttps:\/\/github[.]com\/Hazelooks\/CVE-2025-11499-Exploit \\nhttps:\/\/github[.]com\/usjnx72726w\/CVE-2025-11499-LAB \\nhttps:\/\/github[.]com\/modhopmarrow1973\/CVE-2025-11833-LAB \\nhttps:\/\/github[.]com\/rootreapers\/CVE-2025-11499 \\nhttps:\/\/github[.]com\/lagerhaker539\/CVE-2025-12595-POC\\n\\n**Webrat C2** \\nhttp:\/\/ezc5510min[.]temp[.]swtest[.]ru \\nhttp:\/\/shopsleta[.]ru\\n\\n**MD5** \\n28a741e9fcd57bd607255d3a4690c82f \\na13c3d863e8e2bd7596bac5d41581f6a \\n61b1fc6ab327e6d3ff5fd3e82b430315″,”published”:”2025-12-23T08:00:32″,”modified”:”2025-12-23T08:00:32″,”type”:”securelist”,”title”:”From cheats to exploits: Webrat spreading via GitHub”,”source”:””,”references”:””,”id”:”SECURELIST:CF224444DFA14E52526BE6DD965E7EC6″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-10294″,”CVE-2025-11499″,”CVE-2025-11833″,”CVE-2025-12595″,”CVE-2025-12596″,”CVE-2025-54106″,”CVE-2025-54897″,”CVE-2025-55234″,”CVE-2025-59230″,”CVE-2025-59295″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H\/E:P\/RC:R”,”baseScore”:8.8,”baseSeverity”:”HIGH”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”LOW”,”userInteraction”:”NONE”,”scope”:”UNCHANGED”,”confidentialityImpact”:”HIGH”,”integrityImpact”:”HIGH”,”availabilityImpact”:”HIGH”}},”href”:”https:\/\/securelist.com\/webrat-distributed-via-github\/118555\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-23T08:05:12″,”description”:”\\n\\nIn early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,35,12,13,136,7,11,5],"class_list":["post-32503","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-securelist","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n