Security researchers discovered ChocoPoC, a new remote access trojan specifically designed to target vulnerability researchers through fake proof-of-concept exploit repositories hosted on GitHub. When researchers execute what appears to be legitimate PoC code for a known vulnerability, ChocoPoC silently steals browser credentials, session cookies, and local files while establishing a persistent backdoor that gives attackers ongoing access to the victim’s machine.
How ChocoPoC Uses the Security Research Workflow Against Researchers
The attack targets a specific behavior at the core of vulnerability research: when a new CVE is disclosed, security researchers routinely search GitHub for proof-of-concept exploit code to test, reproduce, and understand the vulnerability. Attackers behind ChocoPoC create or publish repositories that impersonate legitimate PoC exploit code for recently disclosed vulnerabilities, positioning them to appear in search results or be shared within research communities. A researcher who downloads and executes the trojanized repository activates ChocoPoC’s payload, which operates silently in the background while the researcher believes they are working with legitimate exploit code.
ChocoPoC’s Capabilities: Browser Credentials, Cookies, Files, and Persistent Shell Access
The ChocoPoC RAT’s payload combines multiple data theft functions with a persistent access mechanism. The malware steals stored passwords and session cookies from browsers, which can provide authenticated access to any web application or cloud service the researcher was logged into at the time of infection. File exfiltration capabilities mean local project files, research notes, and any stored credentials or configuration files on the machine are accessible to the attacker. The persistent shell backdoor establishes ongoing attacker access to the compromised machine that survives the initial infection session, allowing attackers to return to the researcher’s system over an extended period rather than extracting data in a single burst.
Why Vulnerability Researchers Are High-Value ChocoPoC Targets
The deliberate targeting of security researchers reflects the strategic value of their specific knowledge and access profile. Vulnerability researchers often hold pre-disclosure information about vulnerabilities that have not yet been publicly announced — intelligence that has independent monetary and operational value to threat actors. Their machines may contain consulting client network architectures, exploit code for unreleased vulnerabilities, correspondence with vendors about unpatched flaws, and ongoing threat intelligence investigations. A single compromised researcher machine can yield intelligence that would take substantial effort to gather through other means.
ChocoPoC Continues a Pattern of Supply Chain Attacks on the Security Community
ChocoPoC’s use of GitHub PoC repositories as a delivery mechanism follows an established pattern of attacks targeting security professionals through the tools and platforms they trust by professional necessity. By choosing GitHub — the primary platform where security researchers publish, share, and access exploit code — as the distribution channel, the campaign turns the community’s own collaborative workflows against its participants. Researchers rely on GitHub because it is where legitimate PoC code lives; ChocoPoC exploits that established trust to bypass the skepticism researchers would apply to unsolicited email attachments or unknown download sites.
Verifying PoC Repository Provenance Before Executing Unknown Code
Researchers encountering ChocoPoC’s campaign should verify the provenance of any PoC exploit code before executing it, confirm that repositories originate from credible, identifiable authors with consistent public research histories, and use sandboxed or isolated virtual environments when testing code from unfamiliar sources. Machines used for vulnerability research should not also hold credentials or authenticated sessions for production organizational infrastructure, limiting the blast radius of a ChocoPoC compromise to the research environment rather than the broader organizational network. Organizations with security research teams should assess whether ChocoPoC infection indicators are present on researcher machines that have accessed PoC repositories for recently disclosed vulnerabilities during the campaign’s active period.
