Malicious Actors Abuse GitHub Proof-of-Concept Projects to Infect Users

Cybersecurity experts from Solar 4RAYS, the cyberthreat research division of the Solar Group, have uncovered a new information-stealing malware named Webrat that has been actively spreading since early 2025.

The malware spies on victims through desktop screens and webcams and steals sensitive data from browsers, cryptocurrency wallets, game stores, and messaging applications.

During ongoing research into underground forums, Solar 4RAYS researchers discovered discussions and advertisements for Webrat shared across closed dark web communities.

Initial samples were released in January 2025 and were already being sold to cybercriminals via a subscription model.

Webrat primarily functions as a stealer, targeting credentials from popular gaming and communication platforms, including Steam, Discord, and Telegram, as well as crypto wallet login data.

It also includes a remote control module that enables complete control of the user interface and the installation of additional payloads, such as download blockers or cryptocurrency miners.

Weaponizing Gaming Cheats and GitHub Projects

The distribution strategy behind Webrat highlights a growing trend of abusing legitimate platforms, such as GitHub and YouTube comments, to spread malware disguised as gaming tools.

According to experts, attackers embed Webrat into “cheat” programs for well-known games such as Rust, Counter-Strike, and Roblox.

These malicious builds often pose as software that grants in-game advantages or allows players to scan opponents for potential cheats.

Attackers publish video tutorials on YouTube explaining how to install certain “gaming utilities,” while placing links to infected archives in the comments section or video descriptions.

Similarly, GitHub repositories host modified “proof-of-concept” projects or cracked versions of legitimate software, tricking users, especially those searching for free tools or patches for blocked applications, into downloading the malware.

Once executed, Webrat connects to command-and-control (C2) servers to transmit stolen data and take remote actions on the compromised system.

Telemetry gathered from the Solar JSOC (Joint Security Operations Center) indicates that Webrat uses encrypted HTTP(S) channels and hides its configuration details to evade network detection.

Beyond gamers, experts warn that office employees who install pirated or unverified software could also become victims, potentially exposing sensitive company information.

Researchers found discussions suggesting Webrat operators have leveraged stolen personal details for blackmail or swatting false emergency calls to victims’ locations intended to cause fear or harm.

To reduce risk, Solar 4RAYS advises users to install reputable antivirus or endpoint protection solutions and avoid downloading files from untrusted platforms.

For incident response teams, the researchers have published Indicators of Compromise (IOCs), including known C2 server addresses, on the Solar 4RAYS blog to help identify and block Webrat-related activity across corporate environments.

Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.

The post Malicious Actors Abuse GitHub Proof-of-Concept Projects to Infect Users appeared first on Cyber Security News.