Malware peddlers are targeting infosec enthusiasts, budding security professionals, and aspiring hackers with the Webrat malware, masquerading the threat as proof-of-concept (PoC) exploits for known vulnerabilities.
Delivering the malware
The recently uncovered Webrat can steal data from Telegram, Discord and Steam accounts and cryptocurrency wallets. It’s also capable of logging keystrokes, recording the computer screen, taking over the machine’s webcam and microphone, and acting as a backdoor through which the attackers can control the system.
The malware is packaged into a password-protected archive that’s offered for download on GitHub, via repositories that ostensibly host PoC exploits for vulnerabilities with high CVSSv3 scores.
The text in the malicious GitHub repositories was likely machine-generated, and the Download Exploit ZIP link in the Download & Install section leads to a password-protected archive hosted in the same repository.
The AI-generated content of the repositories (Source: Kaspersky)
Among the files in the archive file is an executable that escalates its privileges to the administrator level, disables Windows Defender, and fetches Webrat from from a hardcoded URL.
PoC exploits as lures
In this Webrat delivery campaign, which began in September 2025 and was discovered by Kaspersky researchers a month later, the attackers have leveraged vulnerabilities frequently mentioned in security advisories and industry news:
- CVE-2025-10294 (a vulnerability in the OwnID Passwordless Login plugin for WordPress)
- CVE-2025-59295 (a heap-based buffer overflow in Internet Explorer)
- CVE-2025-59230 (an elevation of privilege vulnerability in Windows RasMan)
- CVE-2025-12595 and CVE-2025-12596 (vulnerabilities in the Tenda AC23 wireless router)
- CVE-2025-54897 (a Microsoft SharePoint remote code execution vulnerability)
- CVE-2025-54106 (a vulnerability in Windows Routing and Remote Access Service (RRAS)
- CVE-2025-55234 (an EoP flaw in Windows SMB server)
- CVE-2025-11499 (an unauthenticated arbitrary file upload vulnerability affecting the Tablesome Table WordPress plugin)
- CVE-2025-11833 (a flaw in the Post SMTP WordPress plugin)
“This is not the first time threat actors have tried to lure security researchers with exploits. Last year, they similarly took advantage of the high-profile RegreSSHion vulnerability, which lacked a working PoC at the time,” Kaspersky researchers noted.
Late last year, DataDog researchers discovered a threat actor targeting security researchers and offensive actors by setting up dozens of malicious GitHub repositories with fake or trojanized PoC exploit code.
In 2023, someone tried to push the VenomRat malware onto anyone who might be interested in a PoC exploit for a WinRAR remote code execution vulnerability.
While Kaspersky researchers suggest the campaign primarily targets budding security professionals, it may also be intended to compromise systems used by criminals attempting to integrate newly disclosed vulnerabilities into their own operations.
“This serves as a reminder that cybersecurity professionals, especially inexperienced researchers and students, must remain vigilant when handling exploits and any potentially malicious files. To prevent potential damage to work and personal devices containing sensitive information, we recommend analyzing these exploits and files within isolated environments like virtual machines or sandboxes,” Kaspersky researchers advised.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!