Overview
- Kaspersky reports that the campaign has used GitHub repos posing as proof-of-concept exploits since at least September 2025 and was identified in October.
- Repository pages mimic technical writeups for high-profile CVEs, with machine-generated text designed to entice inexperienced researchers and hobbyists.
- Downloads arrive as password-protected ZIPs containing a dropper (often rasmanesc.exe) that elevates privileges, disables Windows Defender, then retrieves Webrat from a hardcoded URL.
- The deployed Webrat backdoor enables system control and steals data from cryptocurrency wallets and Steam, Discord, and Telegram, with keylogging, screen capture, and webcam and microphone surveillance.
- Kaspersky published malicious repo URLs, C2 domains, and sample hashes to aid detection, and BleepingComputer says the identified repositories have been removed from GitHub.