New 'ChocoPoC' Python RAT Targets Security Researchers via Weaponized PoC Exploits on GitHub

'ChocoPoC' Malware Campaign Targets Cybersecurity Researchers with Trojanized GitHub Exploits

MEDIUM
July 10, 2026
5m read
MalwarePhishingThreat Actor

Related Entities

Products & Tech

Other

ChocoPoC

Full Report

Executive Summary

Cybersecurity researchers are being targeted in a new, insidious malware campaign. The campaign distributes a previously unknown Python-based Remote Access Trojan (RAT), dubbed ChocoPoC, by hiding it within fake or trojanized proof-of-concept (PoC) exploits hosted on GitHub. Attackers are leveraging the natural curiosity and daily workflow of security professionals, who frequently download and analyze PoC code. When a researcher executes the weaponized exploit, the ChocoPoC RAT is deployed on their machine, granting the attackers remote command execution and data theft capabilities. This campaign is a stark reminder of the importance of operational security (OPSEC) for defenders and the need to treat all untrusted code, even PoC exploits, as potentially malicious.


Threat Overview

The ChocoPoC campaign is a classic example of a watering hole attack tailored for the cybersecurity community. Instead of compromising a website, the attackers poison the well of information that researchers rely on: public code repositories.

The attack vector is simple but effective:

  1. Weaponize PoC Code: Threat actors take legitimate or create fake PoC exploit scripts for known vulnerabilities.
  2. Embed the RAT: They embed the ChocoPoC Python RAT within the PoC script. This can be done through obfuscation or by making it appear as a necessary component of the exploit.
  3. Host on GitHub: The trojanized PoC is uploaded to GitHub, often in a repository with a name and description designed to attract researchers looking into a specific vulnerability.
  4. Execution by Researcher: A security researcher discovers the PoC, downloads it to their analysis machine, and runs it. This triggers the execution of the hidden ChocoPoC payload.

Once active, the RAT establishes a connection to a command-and-control server, allowing the attacker to execute arbitrary commands, search for and exfiltrate sensitive files (such as research notes, credentials, or private keys), and deploy additional malware.


Technical Analysis

This campaign leverages social engineering and technical masquerading.

This attack vector is particularly effective because it turns a researcher's primary tool—exploit code—into a weapon against them. It exploits the inherent trust, however small, that a researcher places in a PoC to function as advertised.


Impact Assessment

The impact of a successful ChocoPoC infection can be severe. For an individual researcher, it means the compromise of their professional and personal data, the theft of their ongoing research, and potential reputational damage. For the researcher's employer, it can lead to the compromise of corporate intellectual property, access to internal networks, and the exposure of sensitive information about the company's security posture or its clients. A compromised researcher's machine is a valuable beachhead for a threat actor looking to pivot into a corporate network.

IOCs — Directly from Articles

No specific GitHub repository URLs, file hashes, or C2 domains were provided in the source articles.

Cyber Observables — Hunting Hints

Researchers and security teams should be wary of the following:

Type
File Name
Value
PoC.py, exploit.py
Description
Be suspicious of PoC scripts that are heavily obfuscated or contain large, encoded blobs.
Type
Network Traffic Pattern
Value
Outbound connection from Python script
Description
A PoC for a local vulnerability should not be making outbound network connections. This is a major red flag.
Type
Process Name
Value
python.exe
Description
Monitor for Python processes that write new files to disk, attempt to establish persistence, or make suspicious network calls.

Detection & Response

  1. Sandboxing: ALWAYS run untrusted code, including PoC exploits, in a completely isolated and sandboxed environment (e.g., a dedicated VM with no network access or restricted network access). This is the most critical detection and prevention step. This is a form of D3FEND's Dynamic Analysis (D3-DA).
  2. Network Monitoring: Monitor all network traffic from analysis environments. Any unexpected outbound connection should be blocked and investigated.
  3. Static and Dynamic Analysis: Before running a PoC, perform static analysis on the code to look for suspicious elements like obfuscated code, network connection logic, or file system manipulation. Then, run it in a dynamic analysis sandbox to observe its behavior.

Mitigation

  1. OPSEC for Researchers: The primary mitigation is strong operational security. Treat all code from the internet as hostile until proven otherwise. Use non-persistent, isolated virtual machines for all analysis.
  2. Network Isolation: The analysis environment should be on a separate network segment with strict egress filtering, blocking all outbound traffic by default. This is a form of M1030 - Network Segmentation.
  3. Code Review: Manually review the code of any PoC before executing it. Look for anything that isn't directly related to the claimed exploit functionality. Why does this buffer overflow PoC need the requests library?
  4. Principle of Least Privilege: Run analysis tools and PoCs as a non-privileged user within the sandbox to limit the potential impact of the malware.

Timeline of Events

1
July 10, 2026
This article was published

MITRE ATT&CK Mitigations

Executing all untrusted code, including PoCs, in an isolated sandbox is the most effective mitigation.

Placing the analysis sandbox on an isolated network segment with strict egress filtering prevents C2 and exfiltration.

Training researchers on OPSEC principles for handling potentially malicious code is a critical, non-technical control.

D3FEND Defensive Countermeasures

The cornerstone of defense against campaigns like ChocoPoC is the strict use of sandboxing for all dynamic analysis. Security researchers must never run a PoC from GitHub or any untrusted source directly on their host machine or any machine connected to the corporate network. Instead, use a dedicated, isolated virtual machine for analysis. This VM should be non-persistent (reverting to a clean snapshot after each use) and have its network access severely restricted. Ideally, it should be fully isolated or only allowed to connect to specific, monitored IP addresses. This ensures that even if the ChocoPoC RAT executes, it is contained within the sandbox and cannot access sensitive data or pivot to other systems.

For the analysis sandbox environment, implement a default-deny outbound traffic policy. Most PoC exploits for local vulnerabilities have no legitimate reason to make outbound network connections. Configure the sandbox's virtual firewall to block all egress traffic. Any attempt by the executed PoC (containing ChocoPoC) to initiate a connection to its C2 server will be blocked. This not only prevents the attacker from gaining remote access and exfiltrating data but also serves as a high-fidelity detection event. A blocked outbound connection attempt from a PoC script is a clear indicator that the script is malicious.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

ChocoPoCMalwareRATGitHubCybersecurity ResearcherOPSECWatering Hole

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.