There’s a specific moment, almost always at night, when curiosity overtakes caution. A newly opened repository, few stars but a success. very high score, the README file is well written enough to seem real.
This is where this story takes shape. Webrat doesn’t just infect machines: it intercepts immature ambitions, the urge to “try it now,” the desire to feel part of a technical circle that matters. No longer gamers looking for shortcuts, but students and novice researchers, convinced that running a PoC on their system is a rite of passage.
The trap works because it speaks the right language, using numbers, acronyms, and details. And because it promises something that, in the world of security, is worth more than a video game win: understanding before anyone else.
A cunning malware campaign initially designed to trick gamers has turned into a dangerous trap for aspiring cybersecurity professionals. A new report from Kaspersky Labs reveals that the authors of the Webrat malware have shifted their strategy, targeting students and inexperienced researchers, disguising their backdoor as a proof-of-concept (PoC) exploit for high-profile vulnerabilities.
“In September, the attackers decided to widen their reach: in addition to gamers and users of pirated software, they are now also targeting inexperienced cybersecurity professionals and students,” the report warns .
The campaign, which intensified in October 2025, capitalizes on the security community’s curiosity and urgency by offering “working” code for critical vulnerabilities that are often not publicly exploited.
The decoys were meticulously crafted to instill trust. “Attackers placed their traps both with vulnerabilities that lacked a working exploit and with vulnerabilities that already had one.” By incorporating “detailed vulnerability information into the descriptions,” they made the repositories appear legitimate even to the untrained eye.
Webrat first emerged in early 2025, extending its network to ordinary users. Initially, attackers hid the malware within “cheats for popular games like Rust, Counter-Strike, and Roblox, or in the form of cracked software.” However, starting in September, the group changed tactics to pursue more technical prey.
To accomplish this, the attackers created malicious GitHub repositories and populated them with fake exploits for vulnerabilities with high CVSS scores. These included CVE-2025-59295 (CVSS 8.8), CVE-2025-10294 (CVSS 9.8), and CVE-2025-59230 (CVSS 7.8).
Despite the sophisticated lure, the malware itself remains unchanged: a basic backdoor. The attack’s success depends entirely on the victim’s willingness to execute unverified code.
“These attacks clearly target users who would like to run the exploit directly on their computers, bypassing basic security protocols,” the report concludes.
Security experts recommend that researchers always analyze new exploits in isolated virtual environments and avoid adding exclusion rules to antivirus software without absolute certainty.
The strength of the campaign does not lie in the malware, which remains banal, almost disappointing.
It depends on the context . In a historical moment when critical vulnerabilities become bargaining chips and the fear of being left behind pushes us to skip key steps.
Webrat thrives on hasty executions, on non-isolated machines, and on antivirus programs disabled “just for a moment.” It’s an attack that doesn’t force doors; it finds them already open. And while the most experienced professionals recognize the deception, the real victims are those who are still learning, those who confuse boldness with competence. In this fragile space between study and recklessness, the backdoor slips in silently.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
