Skip to content
Tech News
← Back to articles

New ChocoPoC malware targets researchers via trojanized PoC exploits

read original more articles
Why This Matters

The emergence of ChocoPoC malware highlights the evolving tactics of threat actors who leverage legitimate package repositories and dependency chains to deliver sophisticated remote access Trojans to cybersecurity researchers and low-skilled hackers. This underscores the importance of rigorous supply chain security and vigilant monitoring of dependencies in software development, especially for those working with PoC exploits. For consumers and organizations, understanding these attack vectors is crucial for strengthening defenses against targeted cyber espionage and data theft campaigns.

Key Takeaways

Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.

Hiding malware in PoC exploits for various vulnerabilities is not new, as there are examples of threat actors posing as real security researchers and taking advantage of trending vulnerabilities to target vulnerability and penetration testers or low-skilled hackers.

However, ChocoPoC stands out for not embedding the malware directly in the exploit file but for adding malicious Python packages to the PoC’s dependency list.

According to researchers at cybersecurity company Sekoia, the packages are hosted on the Python Package Index (PyPI), a platform used by Python developers to source and share code.

Once the victim clones a malicious repository, a trojanized package named ‘frint’ is automatically fetched and installed on their systems.

Example of a malicious repository

Source: Sekoia

During installation, the package pulls a malicious dependency package, ‘skytext,’ which contains a compiled native Python extension.

When the PoC executes, the extension runs automatically and decrypts additional embedded Python code that triggers a downloader to retrieve the final payload, ChocoPoC, from a Mapbox dataset.

The ChocoPoC RAT has the following capabilities:

... continue reading