546/68 Thursday, December 25, 2025
Recent reports have uncovered a new wave of WebRAT malware that has shifted its targets from gamers-previously infected via cheats for games such as Roblox or Counter-Strike-to software developers and security administrators. Attackers have created fake GitHub repositories claiming to host proof-of-concept (PoC) exploit code for newly disclosed vulnerabilities, such as CVE-2025-59230 (a Windows RasMan vulnerability) and CVE-2025-10294 (a WordPress vulnerability). These repositories are designed to lure victims into downloading and testing the code, with descriptions believed to be AI-generated to enhance credibility.
The infection chain begins when victims are tricked into downloading a password-protected ZIP archive containing decoy files and a malicious loader named rasmanesc.exe. Once executed, the loader elevates its privileges, disables Windows Defender, and then downloads the actual WebRAT payload from an external server, embedding it into the system. Persistence is established by modifying the Windows Registry and creating Scheduled Tasks, ensuring the malware survives system reboots.
WebRAT is capable of stealing a wide range of sensitive information, including credentials for Discord, Steam, and Telegram, as well as cryptocurrency wallet data. It also features advanced surveillance capabilities such as screen recording, webcam spying, microphone audio capture, and keylogging. Although GitHub has removed the malicious repositories, experts strongly advise users to exercise caution when downloading code from unknown sources and to test untrusted code in isolated or sandboxed environments, separate from primary systems.
