← Back to blog

ChocoPoC RAT Disguised as Fake CVE Exploits Targets Security Researchers

A new remote access trojan called ChocoPoC is being distributed through fraudulent proof-of-concept repositories on GitHub, specifically targeting vulnerability researchers and security professionals. The malware steals credentials, browser data, and establishes persistent system access when executed.

TL;DR

  • ChocoPoC RAT hidden in fake GitHub PoC repos claiming to exploit recent CVEs
  • Targets vulnerability researchers and security professionals who test exploits
  • Exfiltrates passwords, cookies, files, and establishes reverse shell access
  • Highlights supply-chain risk in security research and open-source communities
  • Researchers should verify exploit sources and use isolated environments for testing

Attackers are leveraging the trust security researchers place in proof-of-concept code by distributing a sophisticated remote access trojan through fraudulent GitHub repositories. The malware, named ChocoPoC, is packaged as working exploits for recently disclosed vulnerabilities, making it particularly appealing to professionals who need to validate emerging threats.

When executed, ChocoPoC operates silently in the background, harvesting sensitive data including saved passwords, browser cookies, and local files while simultaneously establishing a reverse shell that grants attackers direct command execution on the victim's machine. This attack pattern represents a critical supply-chain vulnerability in the security research ecosystem itself.

Attack Vector and Distribution

  • Malware distributed through fake GitHub repositories mimicking legitimate PoC projects
  • Repositories claim to contain working exploits for current CVEs to attract researchers
  • Python-based implementation allows cross-platform execution on Windows, macOS, and Linux
  • Targets the specific workflow of vulnerability researchers who test exploits in their environments

Capabilities and Data Theft

  • Exfiltrates stored passwords and authentication credentials from browsers and password managers
  • Harvests browser cookies containing session tokens and authentication data
  • Collects files from user directories for espionage or further exploitation
  • Establishes persistent reverse shell for ongoing remote access and command execution
  • Operates with minimal user visibility once initial execution occurs

Defensive Recommendations

  • Verify exploit repository authenticity through official security advisories and trusted sources
  • Execute untrusted PoC code only in isolated virtual machines or sandboxed environments
  • Review code before execution, particularly checking for suspicious imports or network calls
  • Implement network segmentation to limit lateral movement if a researcher's machine is compromised
  • Monitor for unusual outbound connections from development and testing systems

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

ChocoPoC RAT Disguised as Fake CVE Exploits Targets Security Researchers — Agent Breach Blog | Agent Breach