www.sekoia.com
ChocoPoC RAT Targets Vulnerability Researchers via Trojanized PoCs
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A new malware campaign has emerged, delivering the ChocoPoC RAT through trojanized proof-of-concept (PoC) exploits on GitHub. This attack specifically targets vulnerability researchers and pentesters by embedding malicious Python packages in the dependency lists of PoCs. Researchers at Sekoia identified at least seven malicious repositories linked to vulnerabilities such as FortiWeb (CVE-2025-64446) and Joomla SP Page Builder (CVE-2026-48908). The ChocoPoC RAT can execute commands and exfiltrate sensitive data, utilizing techniques like timestomping and anti-debugging to evade detection. The malware was first observed in late 2025 and continues to pose a significant risk, with over 2,400 downloads of the malicious package 'skytext' reported. The campaign exploits the urgency of vulnerability research, as researchers rush to develop scan modules for newly disclosed vulnerabilities. Current advisories recommend extreme caution when handling PoCs from untrusted sources.
Key Points: • ChocoPoC RAT is delivered via malicious Python packages in PoC dependencies. • At least seven GitHub repositories are identified as distributing ChocoPoC linked to multiple CVEs. • The malware exploits urgency among vulnerability researchers, leading to significant risks.