Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WebRAT malware distribution via fake GitHub exploit repositories

Malware Activity
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

The WebRAT backdoor is now being distributed through GitHub repositories that masquerade as proof-of-concept exploits, increasing the chance that researchers and developers will install malware while testing supposed fixes. The lure pages reference recent vulnerabilities and package the payload in a password-protected ZIP that leads to the dropper rasmanesc.exe. Once executed, the chain disables Windows Defender and downloads WebRAT from a hardcoded URL, turning a fake exploit into a credential-theft backdoor.

Related Happenings

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Open Happening

Claude Code leak GitHub Vidar lure campaign

Campaign
First: 02.04.2026 23:30 Last: 02.04.2026 23:30 Sources 1

About this happening: A **malicious GitHub repository campaign** is abusing the **Claude Code leak** to deliver **Vidar** to users searching for leaked code. The lure uses a **fake leak**, **search-eng...

Open Happening

Timeline

  1. 23.12.2025 21:31 2 articles · 5mo ago

    WebRAT spread through fake GitHub exploit repositories

    Initial Disclosure

    Kaspersky found 15 GitHub repositories that claimed to provide proof-of-concept exploits for recently disclosed vulnerabilities and were used to deliver WebRAT. The lures referenced CVE-2025-59295, CVE-2025-10294, and CVE-2025-59230, and the delivery chain used a password-protected ZIP file, a decoy DLL, a batch file, and the rasmanesc.exe dropper, which elevated privileges, disabled Windows Defender, and downloaded WebRAT from a hardcoded URL.

    Show sources
    Open in new tab