New ChocoPoC malware targets researchers via trojanized PoC exploits

Cybersecurity Researchers Targeted by Malicious Proof-of-Concept Exploits Delivering ChocoPoC RAT

A sophisticated campaign has been uncovered, where multiple proof-of-concept (PoC) exploits on GitHub are being used to deliver a Python-based remote access trojan (RAT) named ChocoPoC. The malware is designed to target cybersecurity researchers and has the capability to execute commands, steal sensitive data, and even upload files from the compromised system.

The malicious campaign relies on weaponized PoC exploits for various vulnerabilities, including FortiWeb, React2Shell, and PAN-OS. However, what sets ChocoPoC apart is its unique delivery mechanism. Instead of embedding malware directly in the exploit file, the attackers have added malicious Python packages to the PoC’s dependency list. These packages are hosted on the Python Package Index (PyPI), a platform used by developers to source and share code.

Once the victim clones a malicious repository, a trojanized package named ‘frint’ is automatically fetched and installed on their systems. The package then pulls in a malicious dependency package called ‘skytext,’ which contains a compiled native Python extension. When the PoC executes, the extension runs automatically and decrypts additional embedded Python code that triggers a downloader to retrieve the final payload, ChocoPoC.

The ChocoPoC RAT has a range of capabilities, including executing arbitrary shell commands, uploading files and directories, collecting browser passwords and cookies, and even gathering network configuration. The attackers have also used Mapbox datasets for data exfiltration, although larger file uploads are handled separately via an HTTP server.

According to researchers at Sekoia, the campaign has been ongoing since late 2025 and has already affected multiple cybersecurity researchers. They have identified at least seven PoC repositories on GitHub that distribute ChocoPoC, with most downloads taking place after a popular vulnerability was disclosed. The researchers found that the malicious package ‘skytext’ had been downloaded over 2,400 times, mostly on Linux-based systems.

It is unclear who is behind this campaign, but Sekoia’s analysis suggests that the attackers primarily used compromised accounts to publish malicious PyPI packages and PoCs. This allows them to keep the exploit intact while assigning the malicious behavior to seemingly harmless packages.

In light of this discovery, cybersecurity researchers are advised to exercise extreme caution when working with unverified code from GitHub repositories. They should never blindly trust these sources and only execute untrusted code in isolated environments. By taking these precautions, they can reduce their exposure to sophisticated attacks like ChocoPoC and stay one step ahead of the attackers.

Ultimately, this incident serves as a reminder that cybersecurity researchers are often at risk themselves, and it’s essential for them to be mindful of the tools and resources they use. By being proactive in testing and verifying code, we can prevent malicious campaigns from spreading and keep our online environments safe.


Source: Bleeping Computer — 2026-07-01