Find notable cyber news and cases, enriched with sources, timelines, and signals.

WebRAT malware distribution via fake GitHub exploit repositories

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The WebRAT backdoor is now being distributed through GitHub repositories that masquerade as proof-of-concept exploits, increasing the chance that researchers and developers will install malware while testing supposed fixes. The lure pages reference recent vulnerabilities and package the payload in a password-protected ZIP that leads to the dropper rasmanesc.exe. Once executed, the chain disables Windows Defender and downloads WebRAT from a hardcoded URL, turning a fake exploit into a credential-theft backdoor.

Related Happenings

Hola Browser for Windows Monero miner compromise

Malware Activity
H score32 First: 05.06.2026 00:27 Last: 05.06.2026 00:27 Sources 1

About this happening: The **Hola Browser for Windows** supply chain delivered an **undeclared Monero miner**, putting some installations at risk of unauthorized CPU use and persistence. Researchers fou...

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
H score22 First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
H score68 First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...

Latest development: 09.06.2026 18:42

On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
H score23 First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Timeline

  1. 23.12.2025 21:31 2 articles · 6mo ago

    WebRAT spread through fake GitHub exploit repositories

    Initial Disclosure

    Kaspersky found 15 GitHub repositories that claimed to provide proof-of-concept exploits for recently disclosed vulnerabilities and were used to deliver WebRAT. The lures referenced CVE-2025-59295, CVE-2025-10294, and CVE-2025-59230, and the delivery chain used a password-protected ZIP file, a decoy DLL, a batch file, and the rasmanesc.exe dropper, which elevated privileges, disabled Windows Defender, and downloaded WebRAT from a hardcoded URL.

    Show sources