Full Report
Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your machine. YesWeHack and
Analysis Summary
# Tool/Technique: ChocoPoC (Remote Access Trojan)
## Overview
ChocoPoC is a data-stealing Remote Access Trojan (RAT) specifically designed to target cybersecurity researchers and bug hunters. It is distributed via malicious GitHub repositories masquerading as Proof-of-Concept (PoC) exploit code for high-profile vulnerabilities. The malware leverages a sophisticated multi-stage supply chain attack, hiding its malicious logic within nested Python package dependencies to evade manual code reviews.
## Technical Details
- **Type**: Malware family (Remote Access Trojan / Infostealer)
- **Platform**: Linux (dominant) and Windows
- **Capabilities**: Credential theft, file exfiltration, remote shell access, and anti-sandbox evasion.
- **First Seen**: Late 2025 (earlier variants), with a major campaign identified in July 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromise Software Dependencies]
- **[TA0002 - Execution]**
- [T1059.006 - Command and Scripting Interpreter: Python]
- **[TA0005 - Defense Evasion]**
- [T1480.001 - Execution Guardrails: Environmental Keying] (Checks for specific PoC file names)
- [T1027 - Obfuscation]
- **[TA0006 - Credential Access]**
- [T1555.003 - Credentials from Web Browsers]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
- [T1568.002 - Dynamic Resolution: Domain Generation Algorithms] (Dead drop resolvers)
## Functionality
### Core Capabilities
- **Browser Theft**: Extracts saved passwords, cookies, autofill data, and history from Chrome, Brave, Edge, and Firefox.
- **System Reconnaissance**: Collects shell history, network settings, and lists of running processes.
- **File Exfiltration**: Targets text files, notes, and local database files.
- **Remote Shell**: Provides the attacker with a functional shell to execute arbitrary commands.
### Advanced Features
- **Anti-Sandbox Evasion**: The malware remains dormant unless it detects it is being executed alongside the intended "fake" PoC script (e.g., checking for `EXPLOIT_POC.py`).
- **Sneaky C2 Infrastructure**: Uses Mapbox (a legitimate mapping service) as a "dead drop" for commands. It utilizes DNS-over-HTTPS and domain-fronting to make malicious traffic appear as legitimate API calls.
- **Dependency Nesting**: Hides logic across multiple packages (`frint` -> `skytext`) to bypass simple dependency checks.
## Indicators of Compromise
- **File Names**:
- `gradient.so` (Linux)
- `gradient.pyd` (Windows)
- `skytext` (Python package)
- `frint` (Python package)
- `slogsec` / `logcrypt.cryptography` (Legacy variants)
- **Network Indicators**:
- `91[.]132[.]163[.]78` (Data exfiltration server)
- Mapbox API endpoints (Used for C2 dead drop)
- **Behavioral Indicators**:
- Python processes checking for the presence of specific file names like `EXPLOIT_POC.py`.
- Unexpected outbound DNS-over-HTTPS traffic to mapping service domains.
## Associated Threat Actors
- **Unnamed Operator**: Currently unidentified, though researchers note the use of Spanish command names and hand-written (non-AI) code.
- **Historical Context**: While not directly linked, the tactics mirror those used by **Lazarus Group** (North Korea) and other actors targeting the infosec community.
## Detection Methods
- **Signature-based**: Detection of compiled Python extensions (`.so`/`.pyd`) within unexpected PyPI packages.
- **Behavioral**: Monitoring for `pip` installations that lead to unauthorized browser profile access or the creation of reverse shells.
- **YARA Rules**: Scanning for the presence of the Spanish-language command strings found in the malware's backend logic.
## Mitigation Strategies
- **Code Review**: Thoroughly vet all third-party PoC code and their requirements (specifically `requirements.txt`) before execution.
- **Isolation**: Always run community-sourced exploits in a dedicated, non-persistent virtual machine or sandbox that does not contain sensitive personal data or credentials.
- **Dependency Management**: Use tools to audit Python dependencies for known malicious packages or "typosquatting."
- **Network Restricting**: Implement egress filtering to prevent unauthorized connections to unknown IP addresses or suspicious DNS-over-HTTPS activity.
## Related Tools/Techniques
- **MUT-1244 Campaign**: A similar campaign that targeted researchers with fake WordPress-related PoCs.
- **Dependency Confusion/Squatting**: The core delivery method used to smuggle the malware onto the system.