ChocoPoC Campaign: Trojanised PoC Exploits and PyPI Packages Deliver Python RAT Using Mapbox Datasets API as Dead-Drop C2 — Threadlinqs Intelligence
Threat ID: TL-2026-1088 · Severity: HIGH · Status: ACTIVE · Category: MALWARE
A supply-chain campaign tracked by Sekoia (with YesWeHack) as 'ChocoPoC' has, since at least November 2025, distributed trojanised CVE proof-of-concept exploits on GitHub bundled with malicious PyPI
ChocoPoC is a long-running supply-chain compromise campaign that specifically targets vulnerability researchers and penetration testers — a population whose security tooling is often deliberately relaxed while testing exploit code. The threat actor publishes fake GitHub repositories purporting to contain working proof-of-concept exploits for high-profile, recently disclosed CVEs (e.g. FortiWeb, React2Shell, MongoBleed, PAN-OS, Ivanti Sentry, Check Point VPN, Joomla SP Page Builder). Each fake repository ships a tampered requirements.txt that pulls in a malicious top-level PyPI package (frint in the 2026 wave, slogsec in the 2025 wave), which in turn installs a secondary dependency (skytext, logcrypt.cryptography) bundling a precompiled, obfuscated native Python extension (gradient.pyd on Windows, gradient.so on Linux).
The native extension is loaded via Python's ExtensionFileLoader the moment the package is imported. It performs anti-analysis checks (PEB walking, debugger/hardware-breakpoint detection, export hashing, CheckRemoteDebuggerPresent) and gates execution behind an environment check: it scans the working directory for a file whose uppercased name hashes to 0xF4835C9C, which corresponds to EXPLOIT_POC.PY. This means the payload only detonates when the victim is actually running the bundled fake exploit — not merely upon package installation — which defeats most automated sandbox and CI scanning.
Once triggered, the extension decrypts five embedded Python payloads using a custom XOR/rotate keystream algorithm seeded with the hardcoded key EXPLOIT_POC.PY, followed by zlib decompression. Persistence is established by dropping a trojanised _distutils_hack package and a distutils-precedence.pth file into the Python site-packages directory, causing the malicious loader to auto-execute on every subsequent Python interpreter startup; files are timestomped afterward to hinder forensic timeline reconstruction. A downloader script, choco.py, then resolves api.mapbox[.]com using DNS-over-HTTPS resolvers (AliDNS, Cloudflare DNS) rather than the OS's configured resolvers, and uses a custom SSL adapter to force the SNI/Host header to the legitimate Mapbox hostname while routing the underlying TCP connection to attacker infrastructure — a form of domain fronting. The malware then queries a specific Mapbox Datasets API feature (dataset cmor0tcxf008i1mmpd7apt903, feature dm370543acmdopk296nahbtua under account frankley) whose stored property field is abused as a dead-drop mailbox for C2 instructions, so command retrieval blends into ordinary-looking HTTPS calls to a trusted mapping SaaS.
The final-stage Python RAT supports a small Spanish-language command set (hola for recon, cmd for shell execution, python for base64-encoded exec() code execution, get for file/directory staging and compression, browserdata for credential harvesting, dormir to adjust beacon sleep interval) and exfiltrates staged/compressed data to a hardcoded upload server at 91.132.163.78:8001. Harvested data includes stored passwords, cookies, autofill entries and browsing history from Chrome, Edge, Brave and Firefox; targeted files (.txt, .md, .db); shell history; and system/network reconnaissance output. File-lock mutexes and hardcoded anti-recursion environment variables (ZEBUWIAKGPHOQAP006, JKHWQVEKRASDF12) prevent multiple concurrent executions.
Sekoia and YesWeHack assess with high confidence that a single threat actor operates the campaign across both the 2025 wave (slogsec / logcrypt.cryptography) and the 2026 wave (frint / skytext), based on a reused Mapbox feature ID, identical anti-recursion environment-variable markers, identical hash-gating logic, and near-identical RAT source code between waves. The actor rotates GitHub accounts (lincemorado97, ogenich, bolubey), PyPI uploader identities, and Mapbox accounts (frankley, mattallahsaed, james09790), several of which were created using apparently compromised email addresses and abandoned once repositori
Weaknesses (CWE)
CWE-506, CWE-829, CWE-494
Target sectors: information technology, cybersecurity research, government administration
Target regions: Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 43 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
MALWARE, HIGH, threat intelligence, cybersecurity, CVE-2025-64446, CVE-2025-55182, CVE-2025-14847, CVE-2026-0257, CVE-2026-10520, CVE-2026-48908, CVE-2026-50751, T1586, T1585, T1583.006, T1587.001, T1195.002, T1195, T1195.001, T1199, T1059.006, T1059.004