Back to Home
New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

T
Techpivo News
·2 min read·0 views
New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos  Swati Khandelwal  Jul 02, 2026 Malware / Vulnerability Research Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC , travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your machine.  YesWeHack and Sekoia  published their joint findings on July 1 and warned that, as of that report, the malware and its servers were still live, so do not run any of these PoCs. The trick is where the code sits. The visible PoC looks clean. The malware hides in a Python package that the PoC pulls in as a dependency, so it slips past a quick code review. How the trap works The bait is time pressure. When a big flaw drops, researchers race to test it and grab community PoCs to move fast. This campaign turns that habit into an infection route. The chain, in plain terms: You clone the repo and run pip install to fetch the PoC's requirements. That pulls in a package named frint, which in turn drags in a second package, skytext. skytext ships a small compiled file (gradient.so on Linux, gradient.pyd on Windows) that runs the moment you launch the PoC. It only wakes up when it sees the real PoC loaded, checking for a file named EXPLOIT_POC.py or similar, then unpacks its payload and downloads the trojan. That last check is why a plain sandbox sees nothing. Detonate the package on its own, without the full PoC around it, and the malware stays asleep. What it steals and does Once running, ChocoPoC is a full remote access trojan. It pulls saved passwords, cookies, autofill, and history from Chrome, Brave, Edge, and Firefox. It grabs text files, notes, and local databases, along with shell hi

Comments

We use cookies and similar technologies to improve your experience, analyze traffic, and personalize content. By clicking “Accept All”, you consent to our use of cookies. See our Cookies Policy for details.