New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos
ChocoPoC is a Remote Access Trojan (RAT) disguised within Python proof-of-concept (PoC) repositories on GitHub, specifically targeting vulnerability researchers. The malware utilizes a sophisticated supply chain attack by hiding in indirect dependencies (`frint` and `skytext`) to evade standard code reviews and static analysis. Command and Control (C2) communications are obfuscated using Mapbox datasets via DNS-over-HTTPS and domain fronting to blend in with legitimate traffic. The campaign targ
Analysis
TL;DR
- ChocoPoC is a Remote Access Trojan (RAT) disguised within Python proof-of-concept (PoC) repositories on GitHub, specifically targeting vulnerability researchers.
- The malware utilizes a sophisticated supply chain attack by hiding in indirect dependencies (
frintandskytext) to evade standard code reviews and static analysis. - Command and Control (C2) communications are obfuscated using Mapbox datasets via DNS-over-HTTPS and domain fronting to blend in with legitimate traffic.
- The campaign targets high-value assets by compromising researchers who handle sensitive credentials and unpatched exploits, posing a significant secondary risk to security frameworks.
Why It Matters
This incident highlights a critical shift in threat vectors where social engineering exploits the professional urgency of security researchers to test new vulnerabilities. By embedding malware in trusted-looking dependency chains, attackers bypass traditional perimeter defenses and code auditing practices, demonstrating that the software supply chain remains a primary attack surface even for security professionals.
Technical Details
- Delivery Mechanism: Attackers publish fake PoC repositories for high-profile CVEs (e.g., FortiWeb, React2Shell). Users running
pip installinadvertently download malicious packagesfrintandskytext. - Evasion Techniques: The malware includes a compiled component (
gradient.so/.pyd) that remains dormant unless it detects the presence of the specific PoC file (e.g.,EXPLOIT_POC.py), allowing it to evade sandbox detonation without the full context. - Data Exfiltration: ChocoPoC harvests browser data (passwords, cookies, history) from major browsers, local files, shell history, and network configurations.
- C2 Infrastructure: Commands are retrieved from Mapbox datasets using DNS-over-HTTPS and domain fronting to mimic legitimate API calls, while larger data uploads are sent to a dedicated IP address.
Industry Insight
- Dependency Auditing Rigor: Security teams must enforce strict auditing of all indirect dependencies in PoC environments, not just the primary script, as malicious code can be buried deep in the package tree.
- Operational Security for Researchers: Vulnerability researchers should treat all external PoC code as potentially hostile and utilize isolated, ephemeral virtual machines with network segmentation to prevent credential theft and lateral movement.
- Supply Chain Risk Management: Organizations relying on community-driven detection frameworks (like Nuclei) must implement verification protocols for third-party modules to prevent poisoned tools from being distributed to wider user bases.
Disclaimer: The above content is generated by AI and is for reference only.