A joint investigation by YesWeHack and Sekoia’s Threat Detection & Research team has uncovered a campaign that hides a credential-stealing trojan, dubbed ChocoPoC, inside fake exploit code aimed at vulnerability researchers and penetration testers.
The bait is time pressure. When a serious vulnerability is disclosed, researchers race to build and test detection for it, often pulling Proof-of-Concept (PoC) exploit code shared on GitHub.
This campaign turns that habit into an infection route, masquerading malicious repositories as working exploits for real flaws in products from Fortinet, Ivanti, Check Point, and others.
The visible exploit code appears clean, so it survives an initial review. The malware instead hides in a software dependency the project quietly pulls in during setup, activating only when a researcher runs an install to prepare the exploit.
Because the malicious behavior is hidden in dependency code and only appears during installation, it can evade superficial code reviews and complicate automated analysis.
Once running, the researchers say, ChocoPoC is a full remote access trojan. It harvests saved passwords, browsing history and cookies from major browsers, scans for local files and credential databases, and lets the attacker run commands on the machine.
To take orders without being flagged, it hides its command channel inside a legitimate cloud service, blending in with ordinary web traffic.
Why Researchers Are the Prize
Researchers are the target by design, Sekoia explained. Compromising a single vulnerability researcher, the investigators note, can hand an attacker access far beyond one workstation.
That risk compounds because these researchers supply detection content to widely used security frameworks, thereby increasing the potential reach.
Sekoia warned of a double supply-chain effect, where poisoning one researcher lets malicious code ride into a tool that thousands of other teams trust, echoing recent campaigns that weaponized developer packages to reach the machines behind them.
The delivery mechanism has changed: the exploit file itself may be clean while the dependency chain is the weapon.
Their guidance is practical: treat any PoC as hostile until proven otherwise, read the full dependency chain rather than just the exploit file, and be wary of unknown accounts.