WebRAT malware distribution via fake GitHub exploit repositories
Malware Activity
Summary
Hide ▲
Show ▼
The WebRAT backdoor is now being distributed through GitHub repositories that masquerade as proof-of-concept exploits, increasing the chance that researchers and developers will install malware while testing supposed fixes. The lure pages reference recent vulnerabilities and package the payload in a password-protected ZIP that leads to the dropper rasmanesc.exe. Once executed, the chain disables Windows Defender and downloads WebRAT from a hardcoded URL, turning a fake exploit into a credential-theft backdoor.
Related Happenings
Hola Browser for Windows Monero miner compromise
Malware Activity
H score32
First: 05.06.2026 00:27
Last: 05.06.2026 00:27
Sources 1
About this happening:
The **Hola Browser for Windows** supply chain delivered an **undeclared Monero miner**, putting some installations at risk of unauthorized CPU use and persistence. Researchers fou...
Hola Browser for Windows Monero miner compromise
Malware ActivityAbout this happening: The **Hola Browser for Windows** supply chain delivered an **undeclared Monero miner**, putting some installations at risk of unauthorized CPU use and persistence. Researchers fou...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
H score22
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
H score23
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
Timeline
-
23.12.2025 21:31 2 articles · 6mo ago
WebRAT spread through fake GitHub exploit repositories
Initial DisclosureKaspersky found 15 GitHub repositories that claimed to provide proof-of-concept exploits for recently disclosed vulnerabilities and were used to deliver WebRAT. The lures referenced CVE-2025-59295, CVE-2025-10294, and CVE-2025-59230, and the delivery chain used a password-protected ZIP file, a decoy DLL, a batch file, and the rasmanesc.exe dropper, which elevated privileges, disabled Windows Defender, and downloaded WebRAT from a hardcoded URL.
Show sources
- WebRAT malware spread via fake vulnerability exploits on GitHub — www.bleepingcomputer.com — 23.12.2025 21:31
- WebRAT malware spread via fake vulnerability exploits on GitHub — www.bleepingcomputer.com — 23.12.2025 21:31