LIVE · cybersecurity feed
vulnerability

New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

zeroday.news·6d ago

A new Remote Access Trojan (RAT) named ChocoPoC is being distributed through deceptive proof-of-concept (PoC) exploit repositories on GitHub, specifically targeting vulnerability researchers. These malicious repositories masquerade as legitimate sources for code demonstrating newly discovered vulnerabilities, aiming to trick security professionals into downloading and executing the malware.

The ChocoPoC RAT is designed to steal sensitive data from its victims. It is delivered disguised within Python code that purports to be a working exploit for a recently disclosed vulnerability. By presenting itself as a tool for security research, the malware leverages the trust and workflow of individuals actively seeking and analyzing security flaws.

The attack vector relies on the common practice among vulnerability researchers of examining PoC exploit code to understand and verify new security issues. Threat actors are exploiting this by creating fake repositories that appear to offer functional exploit code for trending vulnerabilities. When a researcher downloads and runs this code, they inadvertently install the ChocoPoC RAT on their system.

Once executed, ChocoPoC establishes a connection with a command-and-control (C2) server, allowing attackers to remotely control the compromised machine. The primary objective of the malware is data exfiltration, meaning it is designed to identify and steal sensitive information stored on the victim's computer. The specific types of data targeted are not detailed, but typical RAT functionalities include the theft of credentials, intellectual property, and other confidential files.

The use of GitHub as a distribution platform is a strategic choice by the attackers. GitHub is a widely used platform for code sharing and collaboration, making it a natural place for researchers to find and share exploit code. By populating repositories with malicious Python scripts, threat actors can reach a concentrated audience of individuals who are likely to download and run such code.

The nature of the malware as a RAT implies a broad range of potential malicious activities beyond simple data theft. Attackers could potentially use ChocoPoC to establish a persistent presence on a victim's network, conduct further reconnaissance, deploy additional malware, or use the compromised system as a pivot point for attacks against other targets.

This campaign highlights a growing trend of attackers targeting the cybersecurity community itself. By weaponizing the tools and methods used by defenders, threat actors aim to compromise the very individuals tasked with protecting systems and data. This sophisticated approach requires researchers to maintain a high level of vigilance, even when interacting with seemingly legitimate security resources.

While specific technical details on ChocoPoC's evasion techniques or its exact data exfiltration methods are not provided, the core functionality of a RAT suggests it would likely employ mechanisms to avoid detection by antivirus software and other security measures. Researchers are advised to exercise extreme caution when downloading and executing any code from public repositories, especially proof-of-concept exploits for newly disclosed vulnerabilities. Verifying the source and thoroughly auditing any downloaded code before execution are crucial steps in mitigating such risks.

vulnerabilitymalware
← Back to latest

More News

view all →
zeroday.news · 4h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 4h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.

zeroday.news · 3h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 3h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 3h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 4h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.