PROBABLYPWNED
MalwareJuly 8, 20264 min read

ChocoPoC RAT Targets Researchers via Fake Exploit Repos

Malicious Python PoC repositories on GitHub deliver ChocoPoC RAT to security researchers. The trojan steals credentials and provides remote access via Mapbox dead drops.

James Rivera

Security researchers hunting for proof-of-concept exploit code on GitHub are walking into traps. A campaign distributing the ChocoPoC remote access trojan has been hiding malware inside fake PoC repositories that claim to exploit recent high-profile CVEs—and at least 2,400 researchers have already downloaded the infected packages.

The malware doesn't live in the visible exploit code. Instead, it's buried in Python package dependencies that get pulled in during installation, making it nearly invisible to researchers who manually review the PoC before running it.

How the Attack Works

The infection chain is elegant in its simplicity:

  1. Victim finds a GitHub repository claiming to have a working PoC for a hot CVE
  2. They clone the repo and run pip install -r requirements.txt
  3. A malicious package called frint gets installed
  4. frint pulls in skytext as a secondary dependency
  5. skytext contains compiled malicious code (gradient.so on Linux, gradient.pyd on Windows)
  6. The malware activates only when it detects exploit-related files like EXPLOIT_POC.py

That last step is key. By checking for the presence of exploit files before executing, ChocoPoC evades automated malware sandboxes that install packages but don't actually run the PoC code.

What Gets Stolen

Once active, ChocoPoC operates as a full remote access trojan. It exfiltrates:

  • Saved passwords, cookies, autofill data, and history from Chrome, Brave, Edge, and Firefox
  • Text files, notes, and local databases
  • Shell history and network configuration
  • Running process lists
  • SSH keys and cloud provider credentials
  • Git access keys and Docker authentication tokens

For security researchers, that last category is devastating. Stolen Git credentials can lead to supply chain compromises in any repositories the researcher maintains. Cloud credentials provide access to test infrastructure that might connect to client environments.

Command and Control via Mapbox

The C2 infrastructure shows sophistication beyond typical commodity malware. ChocoPoC reads commands from Mapbox dataset "dead drops"—abusing Mapbox's legitimate data hosting service to blend in with normal traffic. Command retrieval routes through DNS-over-HTTPS with domain fronting, making network-based detection difficult.

Larger file uploads go to a separate server at 91.132.163.78. Command names appear in Spanish with hand-written code patterns, suggesting a Spanish-speaking developer rather than automated generation.

Targeted CVEs

The campaign has exploited interest in at least seven high-profile vulnerabilities, including Fortinet products that have faced ongoing targeting this year:

  • CVE-2025-64446 (FortiWeb)
  • CVE-2025-55182 (React2Shell)
  • CVE-2025-14847 (MongoBleed)
  • CVE-2026-0257 (PAN-OS)
  • CVE-2026-10520 (Ivanti Sentry)
  • CVE-2026-50751 (Check Point VPN)
  • CVE-2026-48908 (Joomla SP Page Builder)

The attackers rotate through GitHub accounts and PyPI package names, staying one step ahead of takedowns. An earlier campaign in late 2025 used different package names—slogsec and logcrypt.cryptography—suggesting this operation has been running for months.

Why Target Security Researchers?

This isn't random. Security researchers represent high-value targets for several reasons:

Access to vulnerabilities: Researchers often have early access to CVE details and working exploits before they're widely known. Stealing this research provides a head start on weaponization.

Trust relationships: A compromised researcher account can be used to publish malicious code that other researchers and organizations trust implicitly.

Client environments: Offensive security researchers frequently have access to client networks during penetration tests. Stolen credentials could provide persistent access even after engagements end.

We've seen similar targeting of security professionals through malicious npm packages that impersonate legitimate security tools. The pattern suggests coordinated interest in compromising the security research community itself.

Protecting Yourself

Researchers downloading PoC code should:

  1. Use isolated virtual machines for all exploit testing—never run untrusted code on primary workstations
  2. Manually review all dependencies in requirements.txt and package.json before installation
  3. Check package publication dates on PyPI—newly published packages for old CVEs are red flags
  4. Monitor for compiled binaries (.so, .pyd, .dll) in package installations
  5. Verify repository authenticity through the original researcher or vendor advisory

Consider using tools like pip-audit to scan dependencies for known malicious packages, though this won't catch newly minted malware like ChocoPoC before it's catalogued.

Attribution Unknown

YesWeHack and Sekoia published joint findings on July 1, but neither organization has attributed the campaign to a specific threat group. The Spanish-language command names and hand-written code patterns suggest human development rather than AI generation, but that's about all that's known about the operators.

The use of stolen or leaked credentials to create GitHub and PyPI accounts makes tracing the actual operators difficult. What's clear is that this represents an ongoing operation rather than a one-off campaign—and security researchers remain in the crosshairs.

Related Articles