Cybercriminals are now weaponizing GitHub itself. They’re creating fake repositories that promise working proof-of-concept code for high-profile security flaws. Instead, they deliver a nasty backdoor called WebRAT.
This isn’t WebRAT’s first rodeo. The malicious program first surfaced at the beginning of the year and has spread via pirated tools as well as game cheats for Counter Strike, Roblox, and even Rust. But the operators just leveled up their game. They’re now targeting a much more technical audience with a cleverly disguised distribution method.
Exploiting the exploit hunters
Since at least September, threat actors have been creating polished GitHub repositories. These repos claim to provide working exploits for several vulnerabilities that made headlines. Kaspersky security researchers discovered 15 repositories pushing WebRAT this way.
A set of fake exploits highlighted several significant security vulnerabilities. The first was CVE-2025-59295 which claims to be a heap-based buffer overflow within MSHTML and Internet Explorer on Windows operating systems; the apparent end result of the “exploit” is that, by sending specially crafted network packets, an attacker may execute arbitrary code on a target host remotely.
The second was CVE-2025-10294, touted as a critical authentication bypass affecting WordPress without password-based logins. Claiming to be able to give an attacker the ability to login as any user, including Admins, utilizing no authentication at all.
Finally, the third fake ad was CVE-2025-59230 — a next-level of privilege vulnerability in the Remote Access Connection Manager (RACM) of Microsoft. RACM’s obvious weakness would let local attackers augment their privileges to SYSTEM-level access.
Each repository looked legitimate. They provided detailed information about the vulnerability, explained what the alleged exploit does, and even listed available mitigations. Kaspersky researchers believe all this text was generated using artificial intelligence models. The structure and presentation were professional enough to fool experienced developers.
What WebRAT actually does
According to a Solar 4RAYS report from May, WebRAT is a backdoor with extensive info-stealing capabilities. It hunts for credentials from Steam, Discord, and Telegram accounts. What’s more! It targets data of wallets that hold virtual assets, which is highly valuable to bad actors.
However, the malicious program does not only hijack stored information. It pries on victims via webcams and even takes screenshots of whatever they are doing.
The fake exploits arrive as password-protected ZIP files. Inside, victims find an empty file with the password as its filename, a corrupted decoy DLL, a batch file for the execution chain, and the main dropper called rasmanesc.exe.
Once executed, the dropper gets to work immediately. It elevates its privileges on the system and disables Windows Defender to avoid detection. Defending against malware that actively seeks to disable security requires a strong, resilient security solution. Then it downloads and executes the full WebRAT payload from a hardcoded URL.
WebRAT has numerous persistence tactics to make sure it overcomes system reboots. It alters Windows Registry entries, utilizes the Task Scheduler, and deploys itself into random system directories. These make removal hard for infected victims.
Kaspersky notes that this campaign’s WebRAT variant matches previously documented samples. “The operational capabilities remain consistent with past reports,” the researchers explained. The malware maintains the same credential stealing, webcam spying, and screenshot capture functions.
A growing threat to the cybersecurity community
Using fake exploits on GitHub to spread malware isn’t exactly new. Security researchers have documented this tactic extensively in the past. Recently, threat actors promoted a fake “LDAPNightmare” exploit on GitHub to spread infostealing malware through similar methods.
This incident is part of a broader pattern of attackers weaponizing GitHub’s ecosystem, as seen in a separate campaign where hackers breached multiple organizations by compromising legitimate OAuth applications on the platform.
Kaspersky identified malicious repositories on GitHub and compiled a list of them; however, it is expected that malicious actors will continue to attempt to lure users into downloading their malware by creating and submitting new repositories with different publisher names. With virtually no barrier to entry, it is easy for malicious actors to submit new repositories that appear legitimate to unsuspecting users.
As a matter of best practice, when testing code or exploits from potentially untrusted sources, Kaspersky recommends that developers and security professionals run them in a controlled environment and ensure that they are capable of controlling the environment in which the exploit code is running.
