WebRAT Malware Distribution via Fake GitHub Exploits
BLUF
Cybercriminals are distributing WebRAT malware through malicious GitHub repositories posing as PoC exploits for various CVEs (e.g., CVE-2025-10294, CVE-2025-59295, CVE-2025-59230). They target security researchers and IT professionals.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations impacted by a confirmed or suspected NPM supply-chain compromise involving Shai-Hulud malware activity:
Low-end total cost: $350,000 – $500,000
(Single-user exposure, rapid detection, no sensitive data loss)Typical expected range: $750,000 – $1.5M
(Multiple affected systems, extended investigation, legal and compliance review)
Upper-bound realistic scenarios: $2M – $3M
(Credential compromise, data exposure concerns, insurance claims, and sustained operational disruption)
Key cost driver:
Costs are driven less by system downtime and more by uncertainty. When malware is introduced through trusted developer workflows, organizations must assume credential compromise, potential data access, and persistence risks. The resulting need for broad validation, forensic assurance, legal review, and governance response—rather than technical cleanup alone—accounts for the majority of financial impact.
Potential Affected Sectors
· IT professionals
· Cybersecurity researchers
· General users of pirated software or gaming cheats
Potential Affected Countries
· Global
Date of First Reported Activity
· September 2025
Date of Last Reported Activity Update
· December 24, 2025.
CVEs and CVSS Vectors
The campaign uses several CVEs as lures, not the actual exploit method.
CVE-2025-10294
CVSS v3.1 Vector
· 9.8 N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nessus ID
· There is not a Tenable ID for CVE-2025-10294
Is this on the KEV list
No
What is the CISA patch by date for CVE-2025-10294?
· Not applicable
Patch release date
· No patch released for this exploit
Mitigation Data
· Deactivate and Uninstall
o Security providers strongly advise deactivating and uninstalling the plugin until a patch is released.
· Virtual Patching
o If you are a Wordfence Premium, Care, or Response user, ensure your firewall rules are up to date, as virtual patches were rolled out in October 2025 to block exploitation attempts.
· Access Restrictions
o If deactivation is not immediately possible, restrict access to wp-admin to trusted IP addresses only and monitor login logs for suspicious activity.
Security Warning
Be extremely cautious of search results or GitHub repositories claiming to offer "exploit code" or "unofficial fixes" for this CVE. Malicious actors have been observed using fake CVE-2025-10294 exploits as lures to distribute WebRAT malware.
CVE-2025-59295
CVSS v3.1 Vector
· (8.8) 1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Nessus ID
· 270390
· 270365
· 270366
· 270367
· 270371
· 270375
· 270377
· 270378
· 270379
· 270381
· 270384
· 270385
· 270386
Is this on the KEV list
· No
What is the CISA patch by date for CVE-2025-59295?
· Not Applicable
Patch release date
· October 14, 2025
URL to patch information
· hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59295
CVE-2025-59230
CVSS v3.1 Vector
· (7.8) 1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Nessus ID
· 270365
· 270366
· 270367
· 270371
· 270375
· 270377
· 270378
· 270379
· 270381
· 270384
· 270385
· 270386
· 270390
Is this on the KEV list
Yes
What is the CISA patch by date for CVE-2025-59230?
· November 4, 2025
Patch release date
· October 14, 2025
URL to patch information
· hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59230
Mitigation Data
· Mitigation involves user education and scrutiny of GitHub repositories.
o The "vulnerabilities" are lures; the threat is the downloaded executable.
APT Names
This appears to be associated with criminal organizations not state sponsored activities.
Potentially associated criminal organization names
· Stargazer Goblin
o Stargazers Ghost Network
IOCs
As a reminder IOCs are usually dynamic to specific targets / parts of an attack.
The heuristic results are often more likely to catch the attacks
Historic Malicious Domains and URLs
Attackers use these domains for hosting the malware and command-and-control (C2) communication
· Webr[.]at
· Webrat[.]su
· Webrat[.]in
· Pidorasina[.]ru
File Indicators
Victims typically download a password-protected ZIP archive containing these files:
rasmanesc.exe: A malicious dropper that elevates privileges, disables Windows Defender, and fetches the final WebRAT payload.
Decoy files
The archive often includes an empty file, a fake DLL, and a batch script to execute the dropper.
Host-Based Indicators
Scheduled Tasks
· The malware ensures persistence by creating a task to run the executable daily at 4:00 AM.
Registry/Process Activity
· Disabling of Windows Defender components during the initial infection phase.
Tools Used in Campaign
· WebRAT malware
· GitHub platform
· Social engineering
TTPs
· T1021.001: Remote Desktop Protocol (RDP).
· T1048: Exfiltration Over Alternative Protocol.
· T1566.001: Phishing: Spearphishing Attachment.
· T1071.001: Application Layer Protocol: Web Protocols. Malware delivery, user execution, data exfiltration.
Malware Names
· WebRAT
Malware Sample
As a reminder hashes tend to be dynamic.
For best results review and hunt for the heuristic results of the malware rather than the hash
sha256
fe0e093058074512febd0db6385e626eb256208b498e5ad948fb6a9fad43ab00
URL to sample
hxxps://www.virustotal.com/gui/file/fe0e093058074512febd0db6385e626eb256208b498e5ad948fb6a9fad43ab00
Suggested rules / potential hunts
Please keep in mind that these are indicator rules they are likely to be noisy.
For best results review the traffic via data models
Suricata
Network Detection
Rule for Suspicious Archive Download
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE WebRAT Distribution - Password Protected ZIP from GitHub"; content:"github.com"; http_uri; content:".zip"; http_uri; pcre:"/zip/i"; flow:established,to_client; classtype:trojan-activity; sid:2025001; rev:1;)
Rule for Exfiltration Patterns
Monitor for HTTP/S traffic to non-standard ports or suspicious domains associated with WebRAT (stealing Telegram, Discord, and Steam data).
SentinelOne
Hunt for Malicious Dropper
ProcessName = "rasmanesc.exe" OR FilePath = "*/rasmanesc.exe"
Hunt for Security Tool Disabling:
ObjectType = "Process" AND (CmdLine CONTAINS "Set-MpPreference -DisableRealtimeMonitoring $true" OR CmdLine CONTAINS "sc stop WinDefend")
Hunt for WebRAT Persistence
ObjectType = "ScheduledTask" AND (TaskName CONTAINS "rasmanesc" OR TaskCommand CONTAINS "rasmanesc.exe")
Splunk
Detect Malicious Dropper Execution
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 Image="*\\rasmanesc.exe" | table _time, host, User, CommandLine
Identify 4 AM Persistence Tasks
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=106 OR EventCode=4698 "04:00:00" | rex field=Command "(?<malware_binary>.*\.exe)" | search malware_binary="*rasmanesc.exe*" (WebRAT typically schedules daily execution at 4:00 AM)
Delivery Method
· Social engineering via GitHub. Users are tricked into downloading and running malicious files disguised as legitimate exploits.
Email Samples
· Not applicable
o Attacks are being executed via GitHub repositories.
References
NVD
· hxxps://nvd.nist.gov/vuln/detail/CVE-2025-10294
· hxxps://nvd.nist.gov/vuln/detail/CVE-2025-59295
· hxxps://nvd.nist.gov/vuln/detail/CVE-2025-59230
ZeroPath
· hxxps://zeropath.com/blog/cve-2025-10294-ownid-passwordless-login-authentication-bypass
Tenable
· hxxps://www.tenable.com/cve/CVE-2025-59295/plugins
· hxxps://www.tenable.com/cve/CVE-2025-59230/plugins
Wiz IO
· hxxps://www.wiz.io/vulnerability-database/cve/cve-2025-59295
Microsoft
· hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59295
· hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59230
