VYPR
researchPublished Jul 2, 2026· 1 source

ChocoPoC Campaign Targets Researchers with Trojanized Exploits and Mapbox C2

A sophisticated campaign named ChocoPoC is weaponizing proof-of-concept exploit code to target vulnerability researchers, distributing a Python RAT via GitHub and PyPI.

Security researchers have uncovered a persistent campaign, dubbed ChocoPoC, that subverts trusted proof-of-concept (PoC) exploit code to target vulnerability researchers themselves. The operation injects a fully functional Python remote access trojan (RAT) into trojanized exploit code distributed through platforms like GitHub and the Python Package Index (PyPI). Victims who download and execute what appears to be legitimate PoC code unknowingly install a backdoor capable of stealing sensitive data and executing arbitrary commands.

The attackers employ a multi-stage infection chain that begins with poisoned GitHub repositories and malicious Python packages. Often, fake exploit code is accompanied by a tampered requirements.txt file. When a user performs a routine pip install, this file quietly installs an additional, malicious dependency. This initial step triggers a sequence involving a compiled native extension, anti-debugging measures, and a downloader script that fetches the final RAT payload from the internet. Analysts at Sekoia noted that the group has been active since at least 2023, continuously refining its lures and infrastructure rather than abandoning the approach after previous exposures.

The ChocoPoC campaign's persistence suggests a deliberate, long-term strategy focused on the vulnerability research community. Sekoia's report highlights that security researchers have become attractive targets because compromising them can provide early access to unpublished exploits and valuable research data. Furthermore, researchers frequently disable security tools while testing exploits, making them comparatively easier targets than typical enterprise users.

The infection process commences when a victim installs a rigged package, which then drops a native extension file (e.g., gradient.so on Linux, gradient.pyd on Windows). This file is loaded directly into memory using Python's extension-loading mechanism, avoiding the creation of a separate, suspicious binary file on disk. Once active, the malicious code executes anti-debugging checks, searching for hardware breakpoints and testing for the presence of a remote debugger before proceeding.

A subsequent hashing routine scans the researcher's local files, comparing them against a list of known exploit filenames like exploit.py or EXPLOIT_POC.py. If a match is detected, a hidden Python launcher named choco.py is deployed to the system, preparing to download the actual remote access trojan. This sophisticated targeting ensures the malware only activates when it detects an environment likely belonging to a security researcher.

Instead of communicating with a traditional command-and-control (C2) server, the downloader utilizes the legitimate Mapbox Datasets API as a dead-drop C2 channel. It retrieves its next set of instructions from a stored dataset property within the Mapbox service. This technique allows malicious traffic to blend seamlessly with normal web requests to a well-known cloud platform, significantly hindering detection efforts. To further evade network monitoring, the malware employs DNS-over-HTTPS (DoH) resolvers instead of relying on the system's default name servers, obscuring its C2 communication.

Once established, the Python RAT grants attackers capabilities including running shell commands, executing additional Python code, browsing and exfiltrating files, harvesting saved browser data, and collecting basic system information such as network configurations and running processes. The RAT also includes a delay command, allowing operators to pause activity and avoid detection during quiet periods between active campaign phases. Some strings within the malware are in Spanish, suggesting a potential origin for the developers, although the campaign's targeting is international.

Sekoia recommends that individuals downloading PoC code meticulously review it before execution, avoid installing packages from unfamiliar or newly created repositories, and treat unexpected native extensions with extreme suspicion. Running suspicious exploit code within an isolated sandbox environment, rather than on a primary research machine, is also advised to limit potential damage. Given the campaign's reliance on trust within the open research community, ongoing vigilance and cross-verification of PoC sources remain the most practical defenses.

Synthesized by Vypr AI