ChocoPoC Malware Targets Researchers Via GitHub Exploits
A new malware strain dubbed ChocoPoC has been identified, targeting cybersecurity researchers through weaponized proof-of-concept (PoC) exploits hosted on GitHub. This Python-based remote access trojan (RAT) is capable of executing commands on compromised systems and exfiltrating sensitive data. The campaign's focus on PoC exploits suggests an intent to leverage the tools and knowledge of security professionals against them.
The ChocoPoC malware operates by embedding itself within seemingly legitimate PoC exploit code. When researchers download and run these trojanized files, they inadvertently install the RAT. Initial analysis indicates that ChocoPoC can establish a persistent connection to a command-and-control (C2) server, allowing attackers to remotely control the infected machine. The stolen data could include credentials, configuration files, or other proprietary information relevant to security research.
Security researchers first observed this threat campaign in early May 2024. The attackers are actively maintaining a presence on GitHub, regularly updating the malicious repositories with new or modified PoC exploits. This ongoing activity highlights the dynamic nature of cyber threats and the need for constant vigilance within the cybersecurity community. The use of Python for development makes the malware relatively cross-platform compatible, although specific targeting details are still under investigation.
While the full scope of ChocoPoC's capabilities is still being analyzed, its primary functions revolve around reconnaissance and data theft. The malware's ability to execute arbitrary commands allows for deeper system compromise and lateral movement within a network. The campaign's sophistication lies in its deceptive approach, preying on the inherent curiosity and professional needs of cybersecurity researchers who rely on PoC exploits for learning and testing. Further investigation is ongoing to identify the full range of data ChocoPoC can steal and to attribute the attacks.
Original source — read the full reporting at the publisher:
Read on BleepingComputer