Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
Key Takeaways A persistent threat actor, dubbed ChocoPoC, has been actively targeting vulnerability researchers since 2023. The campaign leverages poisoned proof-of-concept (PoC) exploits on GitHub...
Key Takeaways
- A persistent threat actor, dubbed ChocoPoC, has been actively targeting vulnerability researchers since 2023.
- The campaign leverages poisoned proof-of-concept (PoC) exploits on GitHub and PyPI to deliver a Python-based Remote Access Trojan (RAT).
- The attackers employ sophisticated techniques, including anti-debugging checks, in-memory loading of malicious code, and a “dead-drop” command-and-control (C2) mechanism via the legitimate Mapbox Datasets API.
- The Python RAT is capable of extensive data exfiltration, including shell command execution, file system manipulation, browser data theft, and system information gathering.
- Security researchers are particularly vulnerable due to their frequent practice of disabling security tools while analyzing exploits.
A sophisticated and ongoing campaign has been identified, specifically designed to compromise cybersecurity vulnerability researchers by weaponizing the very tools they use. This operation, named ChocoPoC, cleverly embeds a fully functional Python Remote Access Trojan (RAT) within seemingly legitimate proof-of-concept (PoC) exploit code distributed on platforms like GitHub and PyPI.
Table Of Content
Researchers who download and execute these seemingly innocuous PoCs unknowingly install a backdoor, granting attackers the ability to steal sensitive data and execute arbitrary commands on their systems. The attackers leverage a combination of compromised GitHub repositories and malicious Python packages to ensnare their targets. Often, fake exploit code will include a tampered requirements.txt file, which silently installs an additional, malicious dependency during a standard pip install command.
This seemingly minor installation triggers a complex infection chain. It involves the deployment of a compiled native extension, which performs anti-debugging checks before deploying a hidden downloader. This downloader then retrieves the final RAT payload from a covert command-and-control (C2) infrastructure.
Unveiling the ChocoPoC Campaign
Analysts at Sekoia successfully identified the ChocoPoC campaign by meticulously tracking recurring instances of infected repositories and malicious Python packages. Their investigation revealed a shared infrastructure and consistent coding style across various attack waves. Sekoia’s findings indicate that this threat actor has been operational since at least 2023, consistently refining their lures rather than abandoning their methods after detection. This persistence underscores a deliberate, long-term strategy focused squarely on compromising the vulnerability research community. The Sekoia report, shared with Cyber Security News (CSN), highlights the growing appeal of security researchers as targets. Compromising them provides attackers with potential early access to undisclosed exploits and valuable research data. Furthermore, researchers frequently disable security tools during exploit testing, making them comparatively softer targets than typical enterprise users. Sekoia said in a report.
Hackers Use Mapbox Dead-Drop C2 and Python RAT
The infection process begins when a victim installs a malicious package. This package surreptitiously drops a native extension file, such as gradient.so on Linux systems or gradient.pyd on Windows. Crucially, this file is loaded directly into memory using Python’s native extension-loading mechanism, thereby avoiding the creation of a suspicious binary file on disk. <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/3cea4e00-74ff-4a8e-afa3-c95cebcfd6d0/Hackers-Use-Mapbox-Dead-Drop-C2-and-Python-RAT-to-Target-Vulnerability-Researchers.pdf?AWSAccessKeyId=ASIA2F3EMEYE3Z367UJZ&Signature=IlUuimFnLR%2BpCWUNdc6cyP%2F48vs%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJIMEYCIQCcOMKIjc0Z%2FeTwx3SPqBYSJf9ayOhFMVNwWSi3xeBPVwIhALJx8Ie%2BWHiVIhdvk8xfqMdfjUWu6FK8a2EesaeASNx3KvwECO%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy50yzuuUiszb%2BCrW8q0AT9Jkt1LpxEs%2By4mUN8Fvd71%2FvXVwGIk5Qc1rx%2F%2BF0MwAQj%2B2aXje1iiJ2Co51Q8sZOFveDUzHAPVhOX7m7dzo3wTQozSEmGoknw53PUSroddv6UgJiu%2FwV%2BM4il6wsNOy0mJKL8gWqNeViu2TFCp1rc%2BEt5KH5NnDXjlKcBLG%2FgPXue50nfH7NvnV0UuLjEMMPQFa0NB7Px%2Bu2HC5jOELz%2F303YDlhlZMHXLFhYk5bVdak%2FIygT1G%2BoCmIbcbbXdu6tp1%2
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.