ChocoPoC: The dangerous hack targeting vulnerability researchers
A new Trojan called ChocoPoC is infiltrating GitHub repositories to infect security researchers with malicious code.

The threat hidden behind proof-of-concept repositories
In the cybersecurity ecosystem, trust is a valuable but dangerous currency. Recently, a malicious campaign has emerged using ChocoPoC, a Remote Access Trojan (RAT) specifically designed to target researchers who actively seek to exploit security flaws. The technique involves camouflaging the malware within GitHub repositories that promise tools to exploit newly discovered CVEs.
These types of attacks demonstrate how threat actors are refining their social engineering, aiming directly at those who, ironically, dedicate their lives to discovering and reporting breaches. By executing the proof-of-concept (PoC) code, the victim not only triggers the expected exploit but also allows the malware to take silent control of their system.
How does the ChocoPoC attack work?
The operation of ChocoPoC is sophisticated and designed to maximize the theft of sensitive information. Once the Python script runs on the researcher's machine, the payload performs the following actions:
- Credential extraction: Accesses passwords saved in the browser.
- Identity theft: Steals session cookies to hijack active accounts.
- File exfiltration: Scans directories for critical data.
- Persistent access: Opens a remote shell, allowing the attacker to maintain full access to the infected computer.
"Security researchers must be extremely cautious when executing code from unverified sources, even if they appear to be legitimate tools for vulnerability analysis."
The current threat landscape
This incident highlights a worrying trend: attackers are using increasingly targeted tactics. This is not the first time we have observed these types of distribution vectors; similar campaigns have used legitimate platforms to propagate malicious software, as detailed in the analysis of VEIL#DROP: El nuevo hack que utiliza Blogger para distribuir malware.
Furthermore, cybersecurity faces a scenario where security flaws are exploited rapidly, often leading to more complex ransomware attacks, as we have seen with the exploitation of critical flaws where the CISA Alert: BlueHammer vulnerability now being used by ransomware has put critical infrastructure on high alert. The lesson is clear: in a world where open source is the norm, verifying software integrity is the first line of defense.
Recommendations for protection
- Execution in isolated environments: Never test PoCs on primary machines; always use sandboxes or virtual machines.
- Code auditing: Always review dependencies and network calls within downloaded scripts.
- Network monitoring: Detect unusual outbound connections after executing files downloaded from public repositories.
Related articles
11 de julio de 2026
Condemna històrica: membre de la banda Ryuk ransomware admet la seva culpabilitat
Un ciutadà armeni es declara culpable als EUA pel desplegament de ransomware Ryuk, afrontant una possible sentència de 15 anys de presó.
11 de julio de 2026
Historic Conviction: Ryuk Ransomware Gang Member Admits Guilt
An Armenian national pleads guilty in the U.S. for deploying Ryuk ransomware and faces a potential 15-year prison sentence.
11 de julio de 2026
Condena histórica: miembro de la banda Ryuk ransomware admite su culpa
Un ciudadano armenio se declara culpable en EE. UU. por el despliegue de ransomware Ryuk, enfrentando una posible sentencia de 15 años de prisión.
10 de julio de 2026
Hackers exploten Microsoft Entra: Nova vulnerabilitat en passkeys
Un grup d'actors maliciosos utilitza enginyeria social per comprometre comptes de Microsoft 365 mitjançant falsos registres de passkeys a Entra.
Loading comments...