ChocoPoC RAT Targets Vulnerability Researchers via Trojanized PoCs

ChocoPoC RAT Targets Vulnerability Researchers via Trojanized PoCs

First seen 1 Jul 2026, 21:05 UTC Bleepingcomputerwww.sekoia.com 88% similarity 72.5
Share:

Article Content

Browse articles
ThreatCluster

A new malware campaign has emerged, delivering the ChocoPoC RAT through trojanized proof-of-concept (PoC) exploits on GitHub. This attack specifically targets vulnerability researchers and pentesters by embedding malicious Python packages in the dependency lists of PoCs. Researchers at Sekoia identified at least seven malicious repositories linked to vulnerabilities such as FortiWeb (CVE-2025-64446) and Joomla SP Page Builder (CVE-2026-48908). The ChocoPoC RAT can execute commands and exfiltrate sensitive data, utilizing techniques like timestomping and anti-debugging to evade detection. The malware was first observed in late 2025 and continues to pose a significant risk, with over 2,400 downloads of the malicious package 'skytext' reported. The campaign exploits the urgency of vulnerability research, as researchers rush to develop scan modules for newly disclosed vulnerabilities. Current advisories recommend extreme caution when handling PoCs from untrusted sources.

Key Points: • ChocoPoC RAT is delivered via malicious Python packages in PoC dependencies. • At least seven GitHub repositories are identified as distributing ChocoPoC linked to multiple CVEs. • The malware exploits urgency among vulnerability researchers, leading to significant risks.

ThreatCluster AI

Timeline

2025-11-14
CVE-2025-64446 published
FortiWeb vulnerability disclosed, leading to active exploitation and PoC availability.
Bleepingcomputer
2025-12-03
CVE-2025-55182 published
Critical vulnerability affecting systems disclosed, prompting urgent PoC development.
Bleepingcomputer
2025-12-19
CVE-2025-14847 published
MongoBleed vulnerability disclosed, contributing to the exploitation landscape.
Bleepingcomputer
2026-05-13
CVE-2026-0257 published
Vulnerability affecting PAN-OS disclosed, further expanding the attack surface.
Bleepingcomputer
2026-06-08
CVE-2026-50751 published
Check Point VPN vulnerability disclosed, adding to the list of affected systems.
Bleepingcomputer
2026-06-09
CVE-2026-10520 published
Ivanti Sentry vulnerability disclosed, prompting further scrutiny of PoC repositories.
Bleepingcomputer
2026-06-20
CVE-2026-48908 published
Joomla SP Page Builder vulnerability disclosed, leading to increased risks for researchers.
Bleepingcomputer

Community

Browse all →