Step 1: Initial Access and Social Engineering Lures
The threat actors behind the ChocoPoC campaign build highly polished, seemingly authentic GitHub profiles that pretend to belong to legitimate security researchers, white-hat bug hunters, or independent pentesting teams. They upload proof-of-concept exploit code for critical, high-severity vulnerabilities that security teams are actively trying to remediate. To maximize reach, the attackers advertise these repositories on developer forums, social platforms, and within GitHub issue threads.
Step 2: Transitive Dependency Hijack
When a researcher clones a repository and reviews the main Python exploit file, the script appears completely harmless. No malicious payloads or obfuscated strings are embedded within the core script. Instead, the attackers hide the execution trigger in the requirements.txt file. This file lists an external dependency on a custom, malicious Python Package Index (PyPI) package named frint (specifically version 0.1.2). When the researcher executes pip install -r requirements.txt, Python downloads frint, which secretly pulls down a secondary malicious transit dependency named skytext (version 1.1.0). In earlier historical iterations, the attackers utilized alternate packages like slogsec and logcrypt.cryptography.
Step 3: Native Extension Loading and Evasion Gating
The core payload in the skytext library is a precompiled Python native extension: gradient.pyd for Microsoft Windows environments and gradient.so for Linux. When Python loads the compiled module, the extension initializes and immediately performs environmental key gating to evade detection. It hashes the basenames of all active Python modules and checks whether the designated exploit script is currently running. If the extension is detonated in an isolated, automated sandbox without the context of the full exploit script name running, it remains completely dormant. This sophisticated evasion technique ensures that automated malware analysis engines classify the PyPI packages as clean.
Step 4: Decryption, Multi-Platform Persistence, and Timestomping
Once the gating checks are validated, the precompiled native extension decrypts five embedded payloads using Zlib decompression. The malware establishes robust persistence by targeting the Python environment itself. It drops a trojanized version of the _distutils_hack package into the local Python site-packages directory and writes malicious .pth (Python Path) files. To further evade forensic detection, the malware timestomps these newly written files, backdating their timestamps to match legitimate system libraries. Because of these changes, a hidden Python process automatically runs and imports choco.py (the Stage 2 downloader) every single time any Python interpreter is launched on that workstation.
Step 5: Dead-Drop Command-and-Control and Bulk Exfiltration
The choco.py downloader script initializes communication by resolving api.mapbox.com using DNS-over-HTTPS (DoH). It leverages custom HTTP headers to perform domain fronting and fetches a Base64-encoded dataset feature from Mapbox containing the final-stage ChocoPoC RAT. Once executing in-memory, the RAT continuously polls Mapbox datasets for tasks, effectively abusing legitimate Mapbox APIs as an asynchronous C2 channel. Small files and operational status reports are sent back directly through Mapbox datasets, while larger, bulk exfiltrated data (such as web browser credential databases) are exfiltrated to a dedicated external server hosted at 91.132.163.78 over port 8001.
CVE Lures Targeting Modern Enterprise Environments
The campaign is highly opportunistic, constantly changing its GitHub lures to match recently disclosed, high-visibility vulnerabilities. Researchers looking to validate patches or demonstrate risk internally are the primary targets. The specific CVE lures utilized in this campaign include:
CVE-2025-64446: A critical Fortinet FortiWeb Path Traversal vulnerability.
CVE-2025-55182: An execution flaw known as React2Shell.
CVE-2025-14847: A high-impact MongoBleed flaw affecting MongoDB deployments.
CVE-2026-0257: A Palo Alto Networks PAN-OS GlobalProtect Authentication Bypass.
CVE-2026-10520: An Ivanti Sentry Command Injection vulnerability.
CVE-2026-50751: A Check Point Security Gateway Improper Authentication bug.
CVE-2026-48908: A Joomla SP Page Builder Remote Code Execution flaw.