Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Webinar: Why traditional email security is no longer enough

    July 3, 2026

    New ChocoPoC malware targets researchers via trojanized PoC exploits

    July 3, 2026

    Opera rolls out Paste Protect feature to fight ClickFix attacks

    July 3, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»New ChocoPoC malware targets researchers via trojanized PoC exploits
    News

    New ChocoPoC malware targets researchers via trojanized PoC exploits

    adminBy adminJuly 3, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    ChocoPoc malware delivered via trojanized exploits on GitHub

    Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.

    Hiding malware in PoC exploits for various vulnerabilities is not new, as there are examples of threat actors posing as real security researchers and taking advantage of trending vulnerabilities to target vulnerability and penetration testers or low-skilled hackers.

    However, ChocoPoC stands out for not embedding the malware directly in the exploit file but for adding malicious Python packages to the PoC’s dependency list.

    image

    According to researchers at cybersecurity companies Sekoia and YesWeHack, the packages are hosted on the Python Package Index (PyPI), a platform used by Python developers to source and share code.

    Once the victim clones a malicious repository, a trojanized package named ‘frint’ is automatically fetched and installed on their systems.

    Example of a malicious repository
    Example of a malicious repository
    Source: Sekoia

    During installation, the package pulls a malicious dependency package, ‘skytext,’ which contains a compiled native Python extension.

    When the PoC executes, the extension runs automatically and decrypts additional embedded Python code that triggers a downloader to retrieve the final payload, ChocoPoC, from a Mapbox dataset.

    The ChocoPoC RAT has the following capabilities:

    • execute arbitrary shell commands and arbitrary Python code
    • upload files and directories
    • collect browser passwords, cookies, autofill data, and browsing history
    • search for text files, markdown documentation files, and database files
    • gather shell history from the host
    • collect network configuration
    • enumerate running processes

    Mapbox datasets are also abused for data exfiltration, though larger file uploads are handled separately via an HTTP server.

    Infection chain
    ChocoRAT infection chain
    Source: Sekoia

    Sekoia has identified at least seven PoC repositories on GitHub that distribute ChocoPoC and host exploits for FortiWeb (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), and Joomla SP Page Builder (CVE-2026-48908).

    The researchers found that skytext was downloaded 2,400 times, mostly on Linux-based systems.

    The downloads surged following the disclosure of a popular vulnerability, which served as a lure to draw unsuspecting researchers into downloading and testing PoCs from the repositories.

    Download trends for skytext
    Download trends for skytext
    Source: Sekoia

    Sekoia also reports that before frint and skytext, the campaign used two different packages, named ‘slogsec’ and ‘logcrypt.cryptography’, with very similar source code, and delivered the same ChocoPoC payload.

    It is unclear who is behind this campaign, but researchers found several email addresses associated with GitHub committers linked to another PoC exploit trojanizing activity in late 2025.

    Sekoia found that credentials for two of the emails used in the campaigns appeared in leak databases, and the login for another one “highly likely originates from an infostealer compromise.”

    “According to these findings, we assess with high confidence that the attacker primarily employed compromised accounts to publish malicious PyPI packages and PoCs,” Sekoia researchers say.

    Researchers warn that the new malware delivery technique allows keeping the exploit intact by assigning the malicious behavior to packages that seem harmless on their own.

    Since vulnerability and penetration testers are attractive targets because they often run malicious or untrusted code, they are recommended to never blindly trust GitHub repositories and only execute unverified code in isolated environments.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleOpera rolls out Paste Protect feature to fight ClickFix attacks
    Next Article Webinar: Why traditional email security is no longer enough
    admin
    • Website

    Related Posts

    News

    Webinar: Why traditional email security is no longer enough

    July 3, 2026
    News

    Opera rolls out Paste Protect feature to fight ClickFix attacks

    July 3, 2026
    News

    CISA: Microsoft SharePoint RCE flaw now actively exploited

    July 2, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Our Picks

    Webinar: Why traditional email security is no longer enough

    July 3, 2026

    New ChocoPoC malware targets researchers via trojanized PoC exploits

    July 3, 2026

    Opera rolls out Paste Protect feature to fight ClickFix attacks

    July 3, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.