New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

A new Remote Access Trojan (RAT) named ChocoPoC is being distributed through deceptive proof-of-concept (PoC) exploit repositories on GitHub, specifically targeting vulnerability researchers. These malicious repositories masquerade as legitimate sources for code demonstrating newly discovered vulnerabilities, aiming to trick security professionals into downloading and executing the malware.
The ChocoPoC RAT is designed to steal sensitive data from its victims. It is delivered disguised within Python code that purports to be a working exploit for a recently disclosed vulnerability. By presenting itself as a tool for security research, the malware leverages the trust and workflow of individuals actively seeking and analyzing security flaws.

The attack vector relies on the common practice among vulnerability researchers of examining PoC exploit code to understand and verify new security issues. Threat actors are exploiting this by creating fake repositories that appear to offer functional exploit code for trending vulnerabilities. When a researcher downloads and runs this code, they inadvertently install the ChocoPoC RAT on their system.
Once executed, ChocoPoC establishes a connection with a command-and-control (C2) server, allowing attackers to remotely control the compromised machine. The primary objective of the malware is data exfiltration, meaning it is designed to identify and steal sensitive information stored on the victim's computer. The specific types of data targeted are not detailed, but typical RAT functionalities include the theft of credentials, intellectual property, and other confidential files.
The use of GitHub as a distribution platform is a strategic choice by the attackers. GitHub is a widely used platform for code sharing and collaboration, making it a natural place for researchers to find and share exploit code. By populating repositories with malicious Python scripts, threat actors can reach a concentrated audience of individuals who are likely to download and run such code.

The nature of the malware as a RAT implies a broad range of potential malicious activities beyond simple data theft. Attackers could potentially use ChocoPoC to establish a persistent presence on a victim's network, conduct further reconnaissance, deploy additional malware, or use the compromised system as a pivot point for attacks against other targets.
This campaign highlights a growing trend of attackers targeting the cybersecurity community itself. By weaponizing the tools and methods used by defenders, threat actors aim to compromise the very individuals tasked with protecting systems and data. This sophisticated approach requires researchers to maintain a high level of vigilance, even when interacting with seemingly legitimate security resources.
While specific technical details on ChocoPoC's evasion techniques or its exact data exfiltration methods are not provided, the core functionality of a RAT suggests it would likely employ mechanisms to avoid detection by antivirus software and other security measures. Researchers are advised to exercise extreme caution when downloading and executing any code from public repositories, especially proof-of-concept exploits for newly disclosed vulnerabilities. Verifying the source and thoroughly auditing any downloaded code before execution are crucial steps in mitigating such risks.





