Apart from dumping the exploit code, the repositories included detailed sections with overviews of the vulnerability, system impact, install guides, usage steps, and even mitigation advice. The consistency of the format to a professional PoC writeup suggests the descriptions are machine-generated to avoid detection by seasoned professionals, Kaspersky researchers noted in a blog post.
The malicious payload and behavior
Beneath the polished README, the attackers dumped a password-protected ZIP linked in the repository. The archive password was hidden in file names, something easily missable by unsuspecting eyes. Inside, the key components include a decoy DLL, a batch file to launch the malware, and the primary executable (like rasmanesc.exe) capable of escalating privileges, disabling Windows Defender, and retrieving the real Webrat payload from hardcoded command-and-control (c2) servers.
Once executed, Webrat installs a backdoor on the host system. The backdoor can exfiltrate credentials, access cryptocurrency wallets, spy through webcams and microphones, log keystrokes, and steal data from messaging apps like Telegram, Discord, and gaming platforms such as Steam.
