Threat actors deployed trojanized proof-of-concept exploits on GitHub to distribute ChocoPoC, a Python-based remote access trojan targeting cybersecurity researchers. The malware executes arbitrary commands and exfiltrates sensitive data from infected systems.
The attack method exploits researcher behavior. Security professionals frequently test public PoC code to understand vulnerabilities and validate findings. Attackers weaponized these repositories by injecting ChocoPoC into otherwise legitimate exploit code. Researchers downloading and executing the poisoned PoCs inadvertently installed the RAT onto their machines.
ChocoPoC operates as a full remote access trojan. It accepts command execution requests from attacker-controlled servers, allowing operators to run arbitrary code with the privileges of the infected user. The malware also harvests sensitive information from affected systems, including credentials, research data, and internal security assessments.
The campaign specifically targets the research community. Threat actors gain access to security professionals' systems, machines often containing valuable intellectual property, unreleased vulnerability details, and internal security tooling. This positions affected researchers as high-value targets for espionage or competitive intelligence operations.
Organizations employing security researchers face several risks. Compromised researchers may expose unpublished vulnerability research, internal security infrastructure details, or proprietary testing methodologies. The attackers gain foothold access to corporate networks through infected researcher endpoints.
GitHub removed the malicious repositories after discovery, but the campaign highlights ongoing risks. Researchers should verify PoC code authenticity before execution, isolate testing environments, and monitor downloads from untrusted sources. Organizations should mandate code review procedures for external exploit testing and implement endpoint detection focused on RAT behavior patterns including unexpected network connections and command execution chains.
The use of trojanized legitimate resources represents a sophisticated supply chain attack. It bypasses initial skepticism researchers typically apply to overtly suspicious files
