ChocoPoC Malware Uses Mapbox Dead-Drop C2 to Target Vulnerability Researchers


A malware campaign called ChocoPoC is targeting vulnerability researchers and penetration testers through trojanized proof-of-concept exploit repositories on GitHub and malicious Python dependencies on PyPI.

The campaign was documented in a joint investigation by Sekoia and YesWeHack. Researchers said ChocoPoC is a Python remote access trojan that can steal files, harvest browser data, and execute commands on compromised research machines.

The attack hides inside fake PoC repositories for high-profile vulnerabilities. The visible exploit code may look clean, while a malicious dependency in the requirements file installs the backdoor during a normal pip install step.

How the ChocoPoC Campaign Works

The infection starts when a researcher clones a malicious PoC repository and installs its dependencies. In the 2026 wave, the PoC pulls a package named frint, which then installs a second package named skytext.

The skytext package ships a compiled native Python extension named gradient.so on Linux or gradient.pyd on Windows. When the PoC runs, Python loads that compiled extension, which starts the malware chain.

BleepingComputer reported that ChocoPoC stands out because the malware does not need to sit directly in the PoC file. Instead, attackers hide the payload in a transitive dependency that a quick code review may miss.

Attack Chain at a Glance

StageWhat happensWhy it matters
PoC lureA fake GitHub repository claims to exploit a recent CVEResearchers may test it quickly because new PoCs are time-sensitive
Dependency installThe requirements file pulls malicious Python packagesThe visible exploit code can stay mostly harmless
Native extension loadgradient.so or gradient.pyd loads inside PythonThe compiled payload runs under a normal Python workflow
Environment checkThe malware looks for PoC filenames such as EXPLOIT_POC.py or exploit.pySimple sandbox runs may not trigger the payload
Dead-drop retrievalThe downloader fetches ChocoPoC from a Mapbox datasetTraffic blends with a legitimate cloud mapping service

The malware uses anti-debugging and anti-analysis checks before it continues. It also checks the runtime context, which means it may stay quiet if analysts inspect the package by itself rather than running the full lure PoC.

This design creates a supply-chain trap for security researchers. The dependency chain becomes the weapon, while the fake exploit repository acts as bait.

Mapbox Used as a Dead-Drop Channel

ChocoPoC abuses the Mapbox Datasets API as a dead-drop command channel. The downloader reaches a Mapbox dataset feature, extracts a Base64-encoded value from a property field, decodes it, and executes the resulting Python code.

The malware also uses DNS-over-HTTPS through public resolvers to resolve the Mapbox domain without relying on the victimโ€™s normal DNS path. That can help it avoid DNS sinkholes and monitoring tools that only watch standard DNS traffic.

The Hacker News reported that the RAT uses Mapbox as a dead-drop service and can fall back to a separate HTTP server for larger uploads. This lets the campaign mix trusted cloud traffic with more direct exfiltration infrastructure.

What ChocoPoC Can Steal

Once installed, ChocoPoC acts as a full remote access trojan. It can run shell commands, execute Python code, collect files, and gather system information from the victimโ€™s workstation.

The RAT also targets browser data. Researchers said it can collect saved passwords, cookies, autofill data, and browsing history from popular browsers, including Chrome, Brave, Edge, and Firefox.

  • Browser passwords, cookies, autofill data, and history
  • Text files, markdown notes, and local database files
  • Shell history from Linux and macOS-style environments
  • Network configuration and running process lists
  • Files and folders requested by the operator
  • Arbitrary shell and Python command execution results

For vulnerability researchers, this access can expose client reports, exploit notes, credentials, testing infrastructure, and unpublished vulnerability research. That makes one infected workstation more valuable than an ordinary endpoint.

Why Vulnerability Researchers Are the Target

Security researchers often download and test untrusted exploit code as part of their work. They may also run PoCs with elevated privileges or inside research environments that contain sensitive tools and data.

YesWeHack said the campaign exploits the pressure to quickly validate newly disclosed vulnerabilities. Attackers use that urgency to push researchers toward newly created repositories and unfamiliar package dependencies.

The campaign also targets the trust model around public exploit sharing. A fake PoC may appear in a GitHub issue, community discussion, scanner template request, or vulnerability research workflow before defenders have time to verify it.

Fake PoCs Tied to Recent CVEs

Researchers found at least seven fake PoC repositories connected to the same broader ChocoPoC campaign. The lures focused on high-interest vulnerabilities that researchers would likely rush to test.

Lure categoryAssociated CVEMalicious dependencies observed
FortiWeb path traversalCVE-2025-64446slogsec, logcrypt.cryptography
React2ShellCVE-2025-55182slogsec, logcrypt.cryptography
MongoBleedCVE-2025-14847slogsec, logcrypt.cryptography
PAN-OS authentication bypassCVE-2026-0257frint, skytext
Ivanti Sentry command injectionCVE-2026-10520frint, skytext
Check Point VPN authentication bypassCVE-2026-50751frint, skytext
Joomla SP Page Builder RCECVE-2026-48908frint, skytext

Sekoia assessed with high confidence that one actor operated the 2025 and 2026 waves. The assessment was based on reused Mapbox feature IDs, environmental gates, anti-recursion markers, and similar code behavior.

GitHub issue that share the infected PoC repo

The skytext package alone had around 2,400 downloads across Linux and Windows environments, according to the researcher report. Downloads do not prove all users were infected, but they show that the lure reached real systems.

Why the Dependency Trick Is Hard to Catch

The campaign shows why reviewing only the main exploit file is not enough. Attackers can leave the PoC mostly readable while moving the malicious behavior into a dependency that runs later.

The Python Packaging User Guide explains that installing Python packages often involves dependency resolution and downloads from package indexes. That convenience also creates risk when a project pulls packages from unknown or newly created maintainers.

The ChocoPoC loader also waits for specific filenames and module context before it activates. That means a security tool that detonates skytext alone may see nothing suspicious.

Indicators of Compromise

TypeIndicatorDescription
Domainapi.mapbox[.]comLegitimate Mapbox API abused as a dead-drop C2 channel
Domaindns.alidns[.]comDNS-over-HTTPS resolver used by the downloader
Domaincloudflare-dns[.]comAlternate DNS-over-HTTPS resolver referenced by the downloader
Filegradient.soLinux native Python extension used in the infection chain
Filegradient.pydWindows native Python extension used in the infection chain
Filechoco.pyDownloader script that retrieves the final Python RAT
PyPI packageskytextMalicious transitive dependency used in the 2026 wave
PyPI packagefrintPackage that pulled skytext during installation
PyPI packageslogsecMalicious package linked to an earlier wave
PyPI packagelogcrypt.cryptographyMalicious package linked to an earlier wave

These indicators can support threat hunting, but they should not be treated as complete coverage. The actor rotated GitHub, PyPI, and Mapbox accounts across campaign waves.

Defenders should also hunt for behavior. Useful signals include Python loading unexpected native extensions, new .pth files in site-packages, hidden Python processes, suspicious Mapbox dataset requests, and browser database access from Python processes.

How Researchers Can Reduce Risk

Researchers should treat public PoC repositories as untrusted code until verified. That means reviewing dependency files, package metadata, native extensions, commit history, and repository age before running anything.

The Python Packaging User Guide shows how quickly pip can install packages and dependencies. Researchers should use that same convenience carefully, especially when a PoC references obscure or newly published packages.

  • Run untrusted PoCs only inside disposable virtual machines.
  • Review requirements.txt and pyproject.toml before installing dependencies.
  • Watch for native extensions such as .so, .pyd, or compiled wheels.
  • Avoid running PoCs from newly created or anonymous GitHub accounts.
  • Use network egress controls for research sandboxes.
  • Keep client data, browser profiles, credentials, and SSH keys out of test machines.
  • Prefer manual dependency inspection over blind pip install commands.

What Security Teams Should Monitor

Organizations with vulnerability research, red-team, or penetration-testing teams should monitor developer workstations for unusual Python behavior. These machines often hold access to tools, customer environments, and sensitive internal systems.

BleepingComputer noted that ChocoPoC can execute commands, steal browser data, collect files, and enumerate system details. That makes post-infection response broader than simply removing a malicious Python package.

ChocoPoC infection chain

Teams should rotate credentials used on any suspected system. They should also review browser-stored passwords, SSH keys, API tokens, VPN profiles, and client project files that may have been exposed.

Why Mapbox Traffic Needs Context

Mapbox is a legitimate service, so blocking all Mapbox traffic may not make sense for every organization. The better approach is to identify whether developer machines should contact Mapbox dataset endpoints at all.

The Mapbox Datasets API is designed for working with dataset features, not malware delivery. ChocoPoC abused that legitimate functionality to hide instructions inside data fields controlled by the attacker.

The Hacker News also reported that Spanish-language command names and code issues led researchers to believe the RAT was hand-written rather than AI-generated. No public report has attributed the campaign to a named threat group.

Security Takeaway

ChocoPoC shows that exploit researchers are now being targeted through the same public PoC ecosystem they rely on for rapid testing. The main risk is not only malicious code inside an exploit file, but also hidden code buried in dependencies.

The campaign also shows how attackers can abuse trusted developer workflows. A single pip install command can pull a malicious package, load a compiled extension, fetch a RAT from a dead-drop service, and expose sensitive research data.

Security researchers should slow down before running new PoCs, even during high-pressure disclosure windows. Treat dependency chains as part of the exploit, not as background setup.

FAQ

What is ChocoPoC malware?

ChocoPoC is a Python remote access trojan delivered through trojanized proof-of-concept exploit repositories and malicious Python dependencies. It can steal data, collect browser information, and execute commands on compromised systems.

Who is ChocoPoC targeting?

The campaign targets vulnerability researchers, penetration testers, and security teams that download and run public proof-of-concept exploit code for newly disclosed vulnerabilities.

How does ChocoPoC use Mapbox?

ChocoPoC uses Mapbox datasets as a dead-drop command channel. The downloader retrieves encoded Python payloads from dataset feature properties and executes them on the infected system.

Which malicious Python packages are linked to ChocoPoC?

The campaign has been linked to malicious packages including frint, skytext, slogsec, and logcrypt.cryptography. The 2026 wave used frint and skytext, while an earlier wave used slogsec and logcrypt.cryptography.

How can researchers protect themselves from malicious PoCs?

Researchers should review dependency files before installing packages, test PoCs only in disposable virtual machines, block unnecessary outbound traffic, avoid unknown repositories, and keep credentials and client data away from research sandboxes.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages