Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Outlook Bug Removes Copilot Button for Windows Users
July 2, 2026
Opera’s New Paste Protect Blocks Clipboard Attacks, Including ClickFix
July 2, 2026
JADEPUFFER Ransomware Targets Cloud API Keys with Python Payloads
July 2, 2026
Home/Threats/Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
Threats

Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT

Key Takeaways A persistent threat actor, dubbed ChocoPoC, has been actively targeting vulnerability researchers since 2023. The campaign leverages poisoned proof-of-concept (PoC) exploits on GitHub...

Marcus Rodriguez
Marcus Rodriguez
July 2, 2026 2 Min Read
2 0

Key Takeaways

  • A persistent threat actor, dubbed ChocoPoC, has been actively targeting vulnerability researchers since 2023.
  • The campaign leverages poisoned proof-of-concept (PoC) exploits on GitHub and PyPI to deliver a Python-based Remote Access Trojan (RAT).
  • The attackers employ sophisticated techniques, including anti-debugging checks, in-memory loading of malicious code, and a “dead-drop” command-and-control (C2) mechanism via the legitimate Mapbox Datasets API.
  • The Python RAT is capable of extensive data exfiltration, including shell command execution, file system manipulation, browser data theft, and system information gathering.
  • Security researchers are particularly vulnerable due to their frequent practice of disabling security tools while analyzing exploits.

A sophisticated and ongoing campaign has been identified, specifically designed to compromise cybersecurity vulnerability researchers by weaponizing the very tools they use. This operation, named ChocoPoC, cleverly embeds a fully functional Python Remote Access Trojan (RAT) within seemingly legitimate proof-of-concept (PoC) exploit code distributed on platforms like GitHub and PyPI.

Table Of Content

  • Key Takeaways
  • Unveiling the ChocoPoC Campaign
  • Hackers Use Mapbox Dead-Drop C2 and Python RAT

Researchers who download and execute these seemingly innocuous PoCs unknowingly install a backdoor, granting attackers the ability to steal sensitive data and execute arbitrary commands on their systems. The attackers leverage a combination of compromised GitHub repositories and malicious Python packages to ensnare their targets. Often, fake exploit code will include a tampered requirements.txt file, which silently installs an additional, malicious dependency during a standard pip install command.

This seemingly minor installation triggers a complex infection chain. It involves the deployment of a compiled native extension, which performs anti-debugging checks before deploying a hidden downloader. This downloader then retrieves the final RAT payload from a covert command-and-control (C2) infrastructure.

Unveiling the ChocoPoC Campaign

Analysts at Sekoia successfully identified the ChocoPoC campaign by meticulously tracking recurring instances of infected repositories and malicious Python packages. Their investigation revealed a shared infrastructure and consistent coding style across various attack waves. Sekoia’s findings indicate that this threat actor has been operational since at least 2023, consistently refining their lures rather than abandoning their methods after detection. This persistence underscores a deliberate, long-term strategy focused squarely on compromising the vulnerability research community. The Sekoia report, shared with Cyber Security News (CSN), highlights the growing appeal of security researchers as targets. Compromising them provides attackers with potential early access to undisclosed exploits and valuable research data. Furthermore, researchers frequently disable security tools during exploit testing, making them comparatively softer targets than typical enterprise users. Sekoia said in a report.

Hackers Use Mapbox Dead-Drop C2 and Python RAT

The infection process begins when a victim installs a malicious package. This package surreptitiously drops a native extension file, such as gradient.so on Linux systems or gradient.pyd on Windows. Crucially, this file is loaded directly into memory using Python’s native extension-loading mechanism, thereby avoiding the creation of a suspicious binary file on disk. <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/3cea4e00-74ff-4a8e-afa3-c95cebcfd6d0/Hackers-Use-Mapbox-Dead-Drop-C2-and-Python-RAT-to-Target-Vulnerability-Researchers.pdf?AWSAccessKeyId=ASIA2F3EMEYE3Z367UJZ&Signature=IlUuimFnLR%2BpCWUNdc6cyP%2F48vs%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJIMEYCIQCcOMKIjc0Z%2FeTwx3SPqBYSJf9ayOhFMVNwWSi3xeBPVwIhALJx8Ie%2BWHiVIhdvk8xfqMdfjUWu6FK8a2EesaeASNx3KvwECO%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy50yzuuUiszb%2BCrW8q0AT9Jkt1LpxEs%2By4mUN8Fvd71%2FvXVwGIk5Qc1rx%2F%2BF0MwAQj%2B2aXje1iiJ2Co51Q8sZOFveDUzHAPVhOX7m7dzo3wTQozSEmGoknw53PUSroddv6UgJiu%2FwV%2BM4il6wsNOy0mJKL8gWqNeViu2TFCp1rc%2BEt5KH5NnDXjlKcBLG%2FgPXue50nfH7NvnV0UuLjEMMPQFa0NB7Px%2Bu2HC5jOELz%2F303YDlhlZMHXLFhYk5bVdak%2FIygT1G%2BoCmIbcbbXdu6tp1%2

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwareSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks

Next Post

Cisco Catalyst Center Vulnerability Allows Remote Attackers to Read Arbitrary Files

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
July 2, 2026
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us