{"id":272,"date":"2025-12-23T08:12:46","date_gmt":"2025-12-23T08:12:46","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/"},"modified":"2025-12-23T08:12:46","modified_gmt":"2025-12-23T08:12:46","slug":"from-cheats-to-exploits-webrat-spreading-via-github","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/","title":{"rendered":"From cheats to exploits: Webrat spreading via GitHub"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/23073836\/SL-Webrat-featured-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<p>In early 2025, security researchers <a href=\"https:\/\/cybersecurefox.com\/en\/webrat-malware-gaming-platforms-threat-analysis\/\" target=\"_blank\" rel=\"noopener\">uncovered<\/a> a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced professionals and students in the information security field.<\/p>\n<h2 id=\"distribution-and-the-malicious-sample\">Distribution and the malicious sample<\/h2>\n<p>In October, we uncovered a campaign that had been distributing Webrat via GitHub repositories since at least September. To lure in victims, the attackers leveraged vulnerabilities frequently mentioned in security advisories and industry news. Specifically, they disguised their malware as exploits for the following vulnerabilities with high CVSSv3 scores:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>CVE<\/strong><\/td>\n<td><strong>CVSSv3<\/strong><\/td>\n<\/tr>\n<tr>\n<td>CVE-2025-59295<\/td>\n<td>8.8<\/td>\n<\/tr>\n<tr>\n<td>CVE-2025-10294<\/td>\n<td>9.8<\/td>\n<\/tr>\n<tr>\n<td>CVE-2025-59230<\/td>\n<td>7.8<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>This is not the first time threat actors have tried to lure security researchers with exploits. Last year, they similarly <a href=\"https:\/\/securelist.com\/exploits-and-vulnerabilities-q3-2024\/114839\/#cve-2024-6387-regresshion\" target=\"_blank\" rel=\"noopener\">took advantage of the high-profile RegreSSHion vulnerability<\/a>, which lacked a working PoC at the time.<\/p>\n<p>In the Webrat campaign, the attackers bait their traps with both vulnerabilities lacking a working exploit and those which already have one. To build trust, they carefully prepared the repositories, incorporating detailed vulnerability information into the descriptions. The information is presented in the form of structured sections, which include:<\/p>\n<ul>\n<li>Overview with general information about the vulnerability and its potential consequences<\/li>\n<li>Specifications of systems susceptible to the exploit<\/li>\n<li>Guide for downloading and installing the exploit<\/li>\n<li>Guide for using the exploit<\/li>\n<li>Steps to mitigate the risks associated with the vulnerability<\/li>\n<\/ul>\n<div id=\"attachment_118556\" style=\"width: 1437px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161610\/Webrat1.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" aria-describedby=\"caption-attachment-118556\" class=\"size-full wp-image-118556\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161610\/Webrat1.png\" alt=\"Contents of the repository\" width=\"1427\" height=\"627\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161610\/Webrat1.png 1427w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161610\/Webrat1-300x132.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161610\/Webrat1-1024x450.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161610\/Webrat1-768x337.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161610\/Webrat1-797x350.png 797w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161610\/Webrat1-740x325.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161610\/Webrat1-637x280.png 637w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161610\/Webrat1-800x352.png 800w\" sizes=\"(max-width: 1427px) 100vw, 1427px\"><\/a><\/p>\n<p id=\"caption-attachment-118556\" class=\"wp-caption-text\">Contents of the repository<\/p>\n<\/div>\n<p>In all the repositories we investigated, the descriptions share a similar structure, characteristic of AI-generated vulnerability reports, and offer nearly identical risk mitigation advice, with only minor variations in wording. This strongly suggests that the text was machine-generated.<\/p>\n<p>The Download Exploit ZIP link in the Download &amp; Install section leads to a password-protected archive hosted in the same repository. The password is hidden within the name of a file inside the archive.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161711\/Webrat2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118557\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161711\/Webrat2.png\" alt=\"\" width=\"1333\" height=\"729\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161711\/Webrat2.png 1333w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161711\/Webrat2-300x164.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161711\/Webrat2-1024x560.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161711\/Webrat2-768x420.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161711\/Webrat2-640x350.png 640w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161711\/Webrat2-740x405.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161711\/Webrat2-512x280.png 512w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161711\/Webrat2-800x438.png 800w\" sizes=\"auto, (max-width: 1333px) 100vw, 1333px\"><\/a><\/p>\n<p>The archive downloaded from the repository includes four files:<\/p>\n<ol>\n<li>pass \u2013 8511: an empty file, whose name contains the password for the archive.<\/li>\n<li>payload.dll: a decoy, which is a corrupted PE file. It contains no useful information and performs no actions, serving only to divert attention from the primary malicious file.<\/li>\n<li>rasmanesc.exe (note: file names may vary): the primary malicious file (MD5\u00a061b1fc6ab327e6d3ff5fd3e82b430315), which performs the following actions:\n<ul>\n<li>Escalate its privileges to the administrator level (T1134.002).<\/li>\n<li>Disable Windows Defender (T1562.001) to avoid detection.<\/li>\n<li>Fetch from a hardcoded URL (ezc5510min.temp[.]swtest[.]ru in our example) a sample of the Webrat family and execute it (T1608.001).<\/li>\n<\/ul>\n<\/li>\n<li>start_exp.bat: a file containing a single command: start rasmanesc.exe, which further increases the likelihood of the user executing the primary malicious file.<\/li>\n<\/ol>\n<div id=\"attachment_118558\" style=\"width: 1036px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161754\/Webrat3.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118558\" class=\"size-full wp-image-118558\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161754\/Webrat3.png\" alt=\"The execution flow and capabilities of rasmanesc.exe\" width=\"1026\" height=\"608\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161754\/Webrat3.png 1026w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161754\/Webrat3-300x178.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161754\/Webrat3-1024x607.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161754\/Webrat3-768x455.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161754\/Webrat3-591x350.png 591w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161754\/Webrat3-740x439.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161754\/Webrat3-473x280.png 473w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/22161754\/Webrat3-800x474.png 800w\" sizes=\"auto, (max-width: 1026px) 100vw, 1026px\"><\/a><\/p>\n<p id=\"caption-attachment-118558\" class=\"wp-caption-text\">The execution flow and capabilities of rasmanesc.exe<\/p>\n<\/div>\n<p>Webrat is a backdoor that allows the attackers to control the infected system. Furthermore, it can steal data from cryptocurrency wallets, Telegram, Discord and Steam accounts, while also performing spyware functions such as screen recording, surveillance via a webcam and microphone, and keylogging. The version of Webrat discovered in this campaign is no different from those documented previously.<\/p>\n<h2 id=\"campaign-objectives\">Campaign objectives<\/h2>\n<p>Previously, Webrat spread alongside game cheats, software cracks, and patches for legitimate applications. In this campaign, however, the Trojan disguises itself as exploits and PoCs. This suggests that the threat actor is attempting to infect information security specialists and other users interested in this topic. It bears mentioning that any competent security professional analyzes exploits and other malware within a controlled, isolated environment, which has no access to sensitive data, physical webcams, or microphones. Furthermore, an experienced researcher would easily recognize Webrat, as it\u2019s well-documented and the current version is no different from previous ones. Therefore, we believe the bait is aimed at students and inexperienced security professionals.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>The threat actor behind Webrat is now disguising the backdoor not only as game cheats and cracked software, but also as exploits and PoCs. This indicates they are targeting researchers who frequently rely on open sources to find and analyze code related to new vulnerabilities.<\/p>\n<p>However, Webrat itself has not changed significantly from past campaigns. These attacks clearly target users who would run the \u201cexploit\u201d directly on their machines \u2014 bypassing basic safety protocols. This serves as a reminder that cybersecurity professionals, especially inexperienced researchers and students, must remain vigilant when handling exploits and any potentially malicious files. To prevent potential damage to work and personal devices containing sensitive information, we recommend analyzing these exploits and files within isolated environments like virtual machines or sandboxes.<\/p>\n<p>We also recommend exercising general caution when working with code from open sources, always using reliable security solutions, and never adding software to exclusions without a justified reason.<\/p>\n<p>Kaspersky solutions effectively detect this threat with the following verdicts:<\/p>\n<ul>\n<li>HEUR:Trojan.Python.Agent.gen<\/li>\n<li>HEUR:Trojan-PSW.Win64.Agent.gen<\/li>\n<li>HEUR:Trojan-Banker.Win32.Agent.gen<\/li>\n<li>HEUR:Trojan-PSW.Win32.Coins.gen<\/li>\n<li>HEUR:Trojan-Downloader.Win32.Agent.gen<\/li>\n<li>PDM:Trojan.Win32.Generic<\/li>\n<\/ul>\n<h2 id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p><strong>Malicious GitHub repositories<\/strong><br \/>\nhttps:\/\/github[.]com\/RedFoxNxploits\/CVE-2025-10294-Poc<br \/>\nhttps:\/\/github[.]com\/FixingPhantom\/CVE-2025-10294<br \/>\nhttps:\/\/github[.]com\/h4xnz\/CVE-2025-10294-POC<br \/>\nhttps:\/\/github[.]com\/usjnx72726w\/CVE-2025-59295\/tree\/main<br \/>\nhttps:\/\/github[.]com\/stalker110119\/CVE-2025-59230\/tree\/main<br \/>\nhttps:\/\/github[.]com\/moegameka\/CVE-2025-59230<br \/>\nhttps:\/\/github[.]com\/DebugFrag\/CVE-2025-12596-Exploit<br \/>\nhttps:\/\/github[.]com\/themaxlpalfaboy\/CVE-2025-54897-LAB<br \/>\nhttps:\/\/github[.]com\/DExplo1ted\/CVE-2025-54106-POC<br \/>\nhttps:\/\/github[.]com\/h4xnz\/CVE-2025-55234-POC<br \/>\nhttps:\/\/github[.]com\/Hazelooks\/CVE-2025-11499-Exploit<br \/>\nhttps:\/\/github[.]com\/usjnx72726w\/CVE-2025-11499-LAB<br \/>\nhttps:\/\/github[.]com\/modhopmarrow1973\/CVE-2025-11833-LAB<br \/>\nhttps:\/\/github[.]com\/rootreapers\/CVE-2025-11499<br \/>\nhttps:\/\/github[.]com\/lagerhaker539\/CVE-2025-12595-POC<\/p>\n<p><strong>Webrat C2<\/strong><br \/>\nhttp:\/\/ezc5510min[.]temp[.]swtest[.]ru<br \/>\nhttp:\/\/shopsleta[.]ru<\/p>\n<p><strong>MD5<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/28a741e9fcd57bd607255d3a4690c82f\/?icid=gl_sl_opentip-lnk_sm-team_17d973b2a3f6ab09\" target=\"_blank\">28a741e9fcd57bd607255d3a4690c82f<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/a13c3d863e8e2bd7596bac5d41581f6a\/?icid=gl_sl_opentip-lnk_sm-team_df99cb5235e45207\" target=\"_blank\">a13c3d863e8e2bd7596bac5d41581f6a<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/61b1fc6ab327e6d3ff5fd3e82b430315\/?icid=gl_sl_opentip-lnk_sm-team_f2b7dbeb16f68d5c\" target=\"_blank\">61b1fc6ab327e6d3ff5fd3e82b430315<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[270,90,296,99,232,236,241,297,257],"tags":[91],"class_list":["post-272","post","type-post","status-publish","format-standard","hentry","category-backdoor","category-cybersecurity","category-github","category-malware","category-malware-descriptions","category-trojan","category-vulnerabilities-and-exploits","category-webrat","category-windows-malware","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>From cheats to exploits: Webrat spreading via GitHub - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"From cheats to exploits: Webrat spreading via GitHub - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-23T08:12:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/23073836\/SL-Webrat-featured-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"From cheats to exploits: Webrat spreading via GitHub\",\"datePublished\":\"2025-12-23T08:12:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/\"},\"wordCount\":994,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/23073836\/SL-Webrat-featured-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Backdoor\",\"Cybersecurity\",\"GitHub\",\"Malware\",\"Malware descriptions\",\"Trojan\",\"Vulnerabilities and exploits\",\"Webrat\",\"Windows malware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/\",\"name\":\"From cheats to exploits: Webrat spreading via GitHub - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/23073836\/SL-Webrat-featured-990x400.jpg\",\"datePublished\":\"2025-12-23T08:12:46+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/23073836\/SL-Webrat-featured-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/23073836\/SL-Webrat-featured-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"From cheats to exploits: Webrat spreading via GitHub\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"From cheats to exploits: Webrat spreading via GitHub - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/","og_locale":"en_US","og_type":"article","og_title":"From cheats to exploits: Webrat spreading via GitHub - Imperative Business Ventures Limited","og_description":"In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2025-12-23T08:12:46+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/23073836\/SL-Webrat-featured-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"From cheats to exploits: Webrat spreading via GitHub","datePublished":"2025-12-23T08:12:46+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/"},"wordCount":994,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/23073836\/SL-Webrat-featured-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["Backdoor","Cybersecurity","GitHub","Malware","Malware descriptions","Trojan","Vulnerabilities and exploits","Webrat","Windows malware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/","url":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/","name":"From cheats to exploits: Webrat spreading via GitHub - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/23073836\/SL-Webrat-featured-990x400.jpg","datePublished":"2025-12-23T08:12:46+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/23073836\/SL-Webrat-featured-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/23073836\/SL-Webrat-featured-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/23\/from-cheats-to-exploits-webrat-spreading-via-github\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"From cheats to exploits: Webrat spreading via GitHub"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=272"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/272\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}