“Webrat” Trap: Hackers Lure Junior Security Researchers with Fake GitHub Exploits
Ddos 
The execution flow and capabilities of rasmanesc.exe | Image: Kaspersky Labs
A cunning malware campaign initially designed to trick gamers has evolved into a dangerous trap for aspiring cybersecurity professionals. A new report from Kaspersky Labs reveals that the operators behind the Webrat malware have pivoted, now targeting students and inexperienced researchers by disguising their backdoor as proof-of-concept (PoC) exploits for high-profile vulnerabilities.
The campaign, which intensified in October 2025, exploits the curiosity and urgency of the security community, offering “working” code for critical vulnerabilities that often lack public exploits.
Webrat first surfaced in early 2025, casting a wide net for ordinary users. Attackers originally hid the malware inside “cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software”. However, starting in September, the group shifted tactics to hunt a more technical quarry.
“In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced professionals and students in the information security field,” the report warns.
To execute this pivot, the attackers set up malicious GitHub repositories, populating them with fake exploits for vulnerabilities with high CVSS scores. These included CVE-2025-59295 (CVSS 8.8), CVE-2025-10294 (CVSS 9.8), and CVE-2025-59230 (CVSS 7.8).
The lures were meticulously crafted to build trust. “The attackers bait their traps with both vulnerabilities lacking a working exploit and those which already have one”. By incorporating “detailed vulnerability information into the descriptions,” they made the repositories appear legitimate to the untrained eye.
Despite the sophisticated lure, the malware itself remains unchanged—a basic backdoor. The success of the attack relies entirely on the victim’s willingness to execute unverified code.
“The threat actor behind Webrat is now disguising the backdoor not only as game cheats and cracked software, but also as exploits and PoCs”.
Kaspersky researchers noted that seasoned professionals would likely spot the deception, as the malware analyzes the environment to ensure it isn’t running in a sandbox.
“These attacks clearly target users who would run the ‘exploit’ directly on their machines bypassing basic safety protocols,” the report concludes.
Security experts recommend that researchers always analyze new exploits in isolated virtual environments and avoid adding exclusion rules to antivirus software without absolute certainty.
Donate