WebRAT (also known as Webrat or Salat Stealer) is a sophisticated backdoor trojan and infostealer malware, primarily targeting Windows systems. Developed in Go, it functions as a remote access tool (RAT) that grants attackers unauthorized control over infected machines. Initially distributed in early 2025 via pirated game cheats (e.g., for Rust, Counter-Strike, and Roblox) and cracked software, it has evolved to target aspiring cybersecurity professionals and students by masquerading as proof-of-concept (PoC) exploits for recent vulnerabilities on GitHub repositories. These fake repos often include AI-generated descriptions covering vulnerability details, installation guides, and mitigation steps to appear legitimate.
Once executed, WebRAT uses UPX packing for obfuscation and disguises itself as legitimate processes (e.g., Lightshot.exe, Procmon.exe, or RuntimeBroker.exe) in trusted directories like C:\Program Files (x86)\Windows NT. It communicates with command-and-control (C2) servers via UDP, HTTPS, and WebSockets for real-time commands, including remote PowerShell execution.
Key Capabilities
• Data Theft: Steals browser credentials (e.g., from Chrome, Edge, Opera, Brave), cryptocurrency wallet data (e.g., from Coinomi, Exodus, MetaMask extensions), and session tokens from apps like Telegram, Discord, and Steam.
• Surveillance: Records screens, accesses webcams and microphones, and logs keystrokes.
• Persistence and Evasion: Modifies Windows Registry Run keys, creates deceptive Task Scheduler entries (e.g., triggering every 3 minutes for 30 days), tampers with Windows Defender exclusions, and injects into system directories.
• Privilege Escalation: Elevates to administrator rights and disables security tools like Windows Defender.
• Additional Payloads: Downloads and executes further malware from hardcoded C2 URLs (e.g., salat.cn/sa1at or webrat.in/login).
How Does It Spread?
Attackers upload malicious ZIP archives to GitHub, password-protected (password often hidden in the filename, e.g., an empty file named after it). The archive contains decoy files, a corrupted DLL, a batch script, and the main dropper (e.g., rasmanesc.exe). Downloading and extracting from untrusted sources triggers infection. As of December 2025, at least 15 such repos have been identified and removed by GitHub.
How to Remove WebRAT
Removing WebRAT requires a multi-step approach to eradicate the malware, its persistence mechanisms, and prevent reinfection. Always back up important data to an external drive before starting, and perform these steps in Safe Mode if possible. Use reputable antivirus software—do not rely solely on built-in tools like Windows Defender if it’s been tampered with.
Step-by-Step Removal Guide
1. Disconnect from the Internet: Immediately go offline to prevent further C2 communication or data exfiltration.
2. Run a Full System Scan with Antivirus:
• Use tools like Kaspersky, Malwarebytes, or ESET, which detect WebRAT variants (e.g., verdicts: HEUR:Trojan.Python.Agent.gen, PDM:Trojan.Win32.Generic).
• Download fresh definitions from the vendor’s site on a clean device if needed.
• Quarantine and delete any detections, including files like rasmanesc.exe (MD5: 61b1fc6ab327e6d3ff5fd3e82b430315) or packed executables.
3. Remove Persistence Mechanisms:
• Registry Keys: Open Registry Editor (regedit.exe) and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Delete suspicious entries (e.g., those pointing to Lightshot.exe, Procmon.exe, or RuntimeBroker.exe in unusual paths).
• Task Scheduler: Open Task Scheduler (taskschd.msc) and delete tasks with names like “Lightshot” or “Procmon” that run executables from AppData or Program Files.
• Startup Folders: Check and clear C:\Users\[YourUsername]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup and the system-wide equivalent.
4. Restore Windows Defender and Security Settings:
• Reset exclusions: In Windows Security > Virus & threat protection > Manage settings > Add or remove exclusions, remove any suspicious paths (e.g., C:\Program Files, AppData).
• Re-enable real-time protection if disabled.
5. Block C2 Traffic:
• Add firewall rules to block IPs (e.g., 104.21.80.1) and domains (e.g., salat.cn, webrat.in) using Windows Firewall or your router settings.
• Monitor outbound traffic with tools like Wireshark for anomalies.
6. Clean Up and Verify:
• Delete temporary files and empty Recycle Bin.
• Change all passwords (especially for browsers, email, and financial accounts) from a clean device.
• Run a secondary scan with a different tool (e.g., AdwCleaner for adware remnants).
• If you’re unsure, use an endpoint detection and response (EDR) tool or consult a professional for forensic analysis.
Prevention Tips
• Test any code or exploits in isolated virtual machines (e.g., using VirtualBox or VMware).
• Avoid downloading from unverified GitHub repos or torrent sites.
• Enable multi-factor authentication (MFA) and use a password manager.
• Keep your OS, browsers, and antivirus updated.
If symptoms persist (e.g., high CPU usage, unexpected pop-ups, or unauthorized account activity), seek help from a cybersecurity expert. WebRAT’s advanced evasion makes manual removal risky for non-experts.