ChocoPoC: Python RAT Distributed via Trojanized PoC Exploits Targeting Security Researchers — Threadlinqs Intelligence
Threat ID: TL-2026-1125 · Severity: HIGH · Status: ACTIVE · Category: SUPPLY_CHAIN
A supply-chain campaign dubbed ChocoPoC (aka ChocoRAT) trojanizes at least seven GitHub proof-of-concept exploit repositories and companion PyPI packages ('frint', 'skytext', with earlier variants
ChocoPoC (aka ChocoRAT) is a Python remote access trojan distributed through a supply-chain campaign that weaponizes the security research community's own workflow: cloning and running public proof-of-concept exploit code. Sekoia, working with YesWeHack, identified at least seven GitHub repositories hosting trojanized PoCs for recently disclosed, high-severity vulnerabilities — FortiWeb (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS GlobalProtect (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), and Joomla SP Page Builder (CVE-2026-48908) — each shipped with a tampered requirements.txt that pulls in the malicious PyPI package 'frint', which in turn depends on 'skytext'.
When a victim runs `pip install` to stand up the exploit environment, skytext installs a small compiled native Python extension (gradient.so on Linux, gradient.pyd on Windows, loaded via the PyInit_gradient entry point) that executes automatically and performs anti-analysis checks — PEB walking, hardware breakpoint detection, remote debugger testing, and export hashing — before decrypting five embedded, zlib-compressed Python payloads. The malware is environmentally gated: it only proceeds once it detects a file resembling the real exploit (exploit.py, EXPLOIT_POC.py, exploit_poc.py) on disk, ensuring it only detonates for genuine PoC users rather than sandboxes. On success it achieves persistence by dropping a trojanized _distutils_hack shim and malicious .pth files into the Python site-packages directory, then timestomps them to blend in with legitimate files. The .pth hook re-triggers on every subsequent Python interpreter start, silently importing a stage-2 downloader named choco.py.
choco.py implements a 'dead-drop' C2 model built on legitimate cloud infrastructure: it uses DNS-over-HTTPS resolvers (dns.alidns.com, cloudflare-dns.com) to resolve api.mapbox.com to an attacker-controlled IP while sending the legitimate Mapbox hostname in the SNI/Host header (domain fronting), then retrieves a Base64-encoded payload stored inside a Mapbox dataset feature, decodes it, and executes it in memory — the final ChocoPoC RAT never touches disk as a discrete binary. The RAT can execute arbitrary shell commands and Python code, upload individual files or entire directories, and specifically searches victim machines for text files, markdown notes, and local database files, plus shell history, network configuration, and running-process listings. It harvests saved passwords, cookies, autofill data, and browsing history from Chrome, Brave, Edge, and Firefox. Small exfiltrated data (status updates, harvested secrets) is written back to a second Mapbox dataset acting as a covert channel; bulk file uploads are instead sent to a dedicated external HTTP server at 91.132.163.78.
Before frint/skytext, the same operators ran an earlier iteration of the campaign using PyPI packages 'slogsec' and 'logcrypt.cryptography', which shared near-identical source code and delivered the same ChocoPoC payload — indicating a persistent, iterating operation rather than a one-off incident. Sekoia pivoted on the GitHub accounts publishing the trojanized repositories (observed under the handle lincemorado97) and found several raw committer email addresses (including leechuung@mail.com and faberhung@mail.com); credentials for two of these emails were found in public leak databases, and a third login 'highly likely originates from an infostealer compromise,' leading Sekoia to assess with high confidence that the operators primarily rely on compromised GitHub/PyPI accounts rather than accounts they registered themselves. Source-code artifacts including Spanish-language strings and function/file naming (e.g., pozos.py, and Spanish words such as 'hola' and 'dormir' used as variable/command names) are the only attribution lead currently available; no threat group has been named or has claimed the campaign. Downloads of the maliciou
Weaknesses (CWE)
CWE-22, CWE-288, CWE-502, CWE-125, CWE-347, CWE-78, CWE-287, CWE-284, CWE-506
Target sectors: technology, cybersecurity, professional-services
Target regions: Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 30 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
SUPPLY_CHAIN, HIGH, threat intelligence, cybersecurity, CVE-2025-64446, CVE-2025-55182, CVE-2025-14847, CVE-2026-0257, CVE-2026-10520, CVE-2026-50751, CVE-2026-48908, T1583, T1586, T1608, T1587, T1195, T1195, T1199, T1059, T1204, T1129