A new malware campaign has surfaced that uses GitHub repositories to spread the WebRAT malware by disguising it as proof-of-concept exploits and gaming utilities.
The malware targets users searching for game cheats, pirated software, and application patches, particularly for popular titles like Rust, Counter-Strike, and Roblox.
Attackers distribute WebRAT through multiple channels, including GitHub repositories, YouTube video comments, and pirated software websites, making it a widespread threat to both individual gamers and corporate environments.
WebRAT operates as a stealer and remote access tool, capable of extracting login details from Steam, Discord, Telegram, and cryptocurrency wallets.
The malware also includes advanced features such as desktop screen monitoring, webcam access, and full computer control through the user interface.
These capabilities enable attackers to collect personal information, monitor victim activities in real time, and even deploy additional malicious payloads like cryptocurrency miners or blockers.
The collected data can be used for account takeovers, financial theft, blackmail, or swatting attacks where false police reports are made to intimidate victims.
Solar analysts identified WebRAT during research into dark web activities and found that the first versions appeared in January 2025.
The malware is now being sold to cybercriminals through closed channels, making it accessible to a broader range of threat actors.
Discussions on attacker platforms revealed alleged real-life cases where WebRAT was used for blackmail and swatting, showing that this is not just a theoretical threat.
The malware distribution strategy relies heavily on social engineering, where attackers post fake tutorial videos and leave comments with download links to malicious archives.
The primary risk extends beyond individual gamers to corporate employees who download pirated software on company devices.
Once installed, WebRAT can compromise sensitive corporate information, including office conversations and confidential business data.
The malware’s ability to control infected systems remotely allows attackers to navigate through corporate networks, potentially leading to larger security breaches.
Distribution and Infection Mechanism
WebRAT spreads through carefully crafted social engineering campaigns that exploit user trust in open-source platforms like GitHub.
Attackers create repositories that appear to host legitimate proof-of-concept exploits, game cheats, or utility programs.
These repositories often include detailed documentation and fake reviews to increase credibility.
On YouTube, threat actors upload instructional videos demonstrating how to use the fake tools and post download links in the comments section.
When users download and execute these files, the malware installs silently without raising immediate suspicion.
The embedded malware then establishes persistence on the victim’s system and begins exfiltrating data to command-and-control servers.
Security teams can detect WebRAT activity using Indicators of Compromise provided by Solar 4RAYS, which include server addresses and network signatures associated with the malware’s communication channels.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
