Oftentimes your high-ego, “I’m smart enough not to get hacked” techies are more dangerous than Randall over in Sales. They see a shiny new “PoC exploit” for a spicy CVE on GitHub and think, “I got this. I’ll just test it real quick on my machine.
Well, that’s exactly how the WebRAT malware is spreading right now. Threat actors are spinning up convincing GitHub repos that mimic proof-of-concept exploits for recently disclosed vulnerabilities (high CVSS stuff like Windows RasMan flaws). The repos look legit: AI-generated descriptions, mitigation details, code snippets, etc.
But the “exploit” ZIP? Well, it’s a dropper that disables Defender, escalates privileges, and installs WebRAT, a full-featured backdoor and infostealer that grabs:
- Credentials from Steam, Discord, Telegram
- Crypto wallets
- Screenshots
- Webcam access
Kaspersky spotted 15 of these repos (all taken down now, for now). This campaign specifically targets infosec pros and enthusiasts who can’t resist poking at fresh CVEs.
Lesson: Ego + haste = compromise.
Always: ➙ Verify the repo owner, activity, and stars ➙ Download and test only in an isolated VM or sandbox ➙ Never run untrusted code on your daily driver
What’s your go-to when you stumble across a GitHub “PoC”? Local VM? Sandboxed lab? Vendor solution (which one)?
More details: https://www.bleepingcomputer.com/news/security/webrat-malware-spread-via-fake-vulnerability-exploits-on-github/