Don’t Eat The ChocoPoCs! How Vulnerability Researchers Were Repeatedly Targeted By Trojanised Exploits

Don’t Eat The ChocoPoCs! How Vulnerability Researchers Were Repeatedly Targeted By Trojanised Exploits

YesWeHack and Sekoia TDR uncovered ChocoPoC, a Python RAT hidden in fake CVE PoC repositories and malicious PyPI dependencies used to target vulnerability researchers and pentesters. The campaign abused GitHub, PyPI, and Mapbox infrastructure to deliver payloads, persist in Python environments, and steal data, with at least 7 lure repositories identified and the malware still active. #ChocoPoC #YesWeHack #SekoiaTDR #Mapbox #frint #skytext

Keypoints

  • At least 7 fake CVE PoC repositories were identified as part of a supply chain attack targeting security researchers and pentesters.
  • The lure repositories used malicious PyPI dependencies, mainly frint and skytext, to deliver the payload.
  • ChocoPoC is a fully functional Python RAT that can exfiltrate files, execute commands, and harvest secrets.
  • The infection chain relies on a compiled native extension, obfuscated dropper code, and a Mapbox dead-drop resolver to retrieve the next stage.
  • The malware uses persistence and stealth features including timestomping, file-lock mutexes, PEB walking, export hashing, and anti-debugging checks.
  • The final stage abuses Mapbox datasets for command retrieval and data exfiltration, while a separate IP-based server is used for heavier uploads.
  • The same malware infrastructure and tactics appear across multiple campaigns tied to different CVEs and likely compromised accounts.

MITRE Techniques

  • [T1195.001] Compromise Software Dependencies and Development Tools – The attackers trojanized PoC repositories by adding malicious Python dependencies to requirements files, causing users to install the malware when setting up the PoC (‘a malicious Python package was added into the repository’s requirements.txt’).
  • [T1059.006] Command and Scripting Interpreter: Python – The payload is a Python RAT and downloader that executes Python scripts and arbitrary code (‘exec()s it’, ‘executes arbitrary Python code on the fly’).
  • [T1027] Obfuscated Files or Information – The malware uses obfuscated binaries, XOR-encrypted blobs, compressed payloads, and encoded strings to hide its behavior (‘obfuscated function’, ‘compressed, XOR-encrypted blobs’, ‘base64-encoded’).
  • [T1106] Native API – The compiled extension dynamically resolves Windows and Python C-API functions and uses native OS APIs to load and execute (‘dynamically resolving the Python C-API and kernel32.dll functions’, ‘dlopen’, ‘LoadLibrary’).
  • [T1014] Rootkit – The threat abuses PEB walking and export hashing to hide API usage and resolve functions stealthily (‘PEB walking’, ‘export-hashing’).
  • [T1497.001] Virtualization/Sandbox Evasion: System Checks – It checks for debuggers and hardware breakpoints before continuing (‘CheckRemoteDebuggerPresent’, ‘inspecting debugging registers Dr0 to Dr1’).
  • [T1622] Debugger Evasion – The malware tests debugging registers and aborts if analysis indicators are found (‘test Dr0..Dr3 for hardware breakpoints’).
  • [T1546.011] Event Triggered Execution: Application Shimming – The trojanized _distutils_hack package and .pth file are used to auto-run code when Python starts (‘Auto-executed on every interpreter start’, ‘triggers the add_shim function’).
  • [T1036] Masquerading – The malicious package names and files are made to look legitimate, such as setuptools-like hooks and terminal color utilities (‘legit-looking one-liner hook’, ‘Beautiful & Blazing Fast Terminal Colors for Python’).
  • [T1037] Boot or Logon Initialization Scripts – The .pth file ensures persistence-like execution on every new Python interpreter start (‘spawns a hidden Python process’, ‘on every interpreter start’).
  • [T1105] Ingress Tool Transfer – The downloader retrieves the next stage from Mapbox and later from a dedicated server (‘retrieving a subsequent Python script from api.mapbox[.]com’).
  • [T1568.003] Dynamic Resolution: DNS over HTTPS – The downloader uses DoH to resolve the C2 IP while hiding DNS traffic (‘leveraging DoH (DNS-over-HTTPS)’).
  • [T1090.004] Proxy: Domain Fronting – It forces Host/SNI to api.mapbox[.]com while connecting to an IP address to blend in with legitimate traffic (‘Host-header/SNI-fronts api.mapbox[.]com’).
  • [T1071.001] Application Layer Protocol: Web Protocols – The malware communicates over HTTPS and Mapbox API requests for staging and exfiltration (‘opens an HTTPS connection’, ‘GETs a particular Mapbox dataset feature’).
  • [T1041] Exfiltration Over C2 Channel – Stolen data is sent through the C2 infrastructure and Mapbox channels (‘exfiltrates harvested data to another Mapbox dataset’).
  • [T1132.001] Data Encoding: Standard Encoding – Base64 is used to hide URLs, tokens, and payloads before execution (‘decodes some Base64 strings’).
  • [T1005] Data from Local System – The RAT collects browser data, local files, shell histories, network configuration, and process lists (‘extract stored credentials’, ‘shell histories’).
  • [T1057] Process Discovery – It gathers running process lists as part of system reconnaissance (‘running process lists’).
  • [T1082] System Information Discovery – The malware runs commands like ipconfig, uname, and netstat to profile the host (‘gather basic system information’).
  • [T1119] Automated Collection – It automatically searches user directories for target file types and archives them for upload (‘compressing them into standard archives before uploading’).
  • [T1003] OS Credential Dumping – It targets browser-stored passwords and cookies from Chrome, Brave, Edge, and Firefox (‘extract stored credentials (passwords), cookies’).
  • [T1021.006] Remote Services: Windows Remote Management – Not explicitly described as WinRM; no item added.
  • [T1114.001] Email Collection – Not mentioned in the article; no item added.
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – The malware launches a hidden Python process to reduce visibility (‘re-launches a hidden python (CREATE_NO_WINDOW)’).
  • [T1070.006] Timestomp – It alters file timestamps after dropping persistence components to hinder forensic analysis (‘subsequently timestomping the files’).
  • [T1556.001] Modify Authentication Process: Dynamic Linker Hijacking – The compiled extension shadows a Python source module of the same name and gets loaded first (‘the compiled extension takes precedence and shadows the source file’).

Indicators of Compromise

  • [GitHub repositories] lure PoC repositories used to deliver the malicious dependency chain – github.com/ogenich/CVE-2026-48908, github.com/bolubey/CVE-2026-0257, and other listed CVE PoCs
  • [PyPI package names] malicious dependencies installed during PoC setup – frint 0.1.2, skytext 1.1.0, and slogsec
  • [File names] native extensions and persistence components – gradient.pyd, gradient.so, distutils-precedence.pth, and choco.py
  • [File hashes] malicious package and binary hashes – skytext SHA-256 93739477cd379adef95126b22758c0e644282d2028dd297328ce856fa111dd06, gradient.pyd SHA-256 40569318e89db751ff3886b2617d990d8a343f0d1d8727b7f978a28129ca36bc
  • [Mapbox dataset/feature identifiers] dead-drop C2 and exfiltration resources – cmor0tcxf008i1mmpd7apt903, dm370543acmdopk296nahbtua, and a second dataset cmismaye7000s1mp2v8fkn4lp
  • [Mapbox tokens] attacker-controlled API keys used by downloader and exfiltration stage – pk.eyJ1IjoiZnJhbmtsZXkiLCJhIjoiY21vNzFzaXNzMDJrMjJxcHJqY3JscnlpYSJ9.fuMfMgsxlOGxRy44A-y0WQ, sk.eyJ1IjoiamFtZXMwOTc5MCIsImEiOiJjbWoxM3JuNHQwYnh0M2xxeWhsMnVyaDZwIn0.ELpete7yVGAeg52Mrmt2DA
  • [IP address and URL] stage-3 exfiltration infrastructure – 91.132.163.78:8001 and hxxp://91[.]132[.]163[.]78:8001/assets/static/bundle.ext.min.de5b2bc9.js
  • [Domains] DoH and C2-related infrastructure – api.mapbox[.]com, dns.alidns[.]com, and cloudflare-dns[.]com
  • [Environment variables] anti-recursion markers used by the spawner – ZEBUWIAKGPHOQAP006=PTsjBGKQUxZorq2 and JKHWQVEKRASDF12=JKHKJ23VAS8DF9
  • [Email addresses] suspected committer/package publisher accounts – [email protected], [email protected], [email protected], and [email protected]


Read more: https://www.sekoia.com/blog/dont-eat-the-chocopocs-how-vulnerability-researchers-were-repeatedly-targeted-by-trojanised-exploits