GitHub and PyPI: Hackers Use Mapbox Dead-Drop C2 and Python RAT to Target Vulnerability Researchers

GitHub and PyPI: Hackers Use Mapbox Dead-Drop C2 and Python RAT to Target Vulnerability Researchers

ChocoPoC Campaign Targets Security Researchers with Trojanized Exploit Code

Security researchers have uncovered ChocoPoC, a long-running cyber campaign that weaponizes trusted proof-of-concept (PoC) exploits to deploy a Python-based remote access trojan (RAT) against vulnerability researchers. Active since at least 2023, the operation leverages poisoned GitHub repositories and malicious Python packages on PyPI to distribute backdoored exploit code.

Victims who download and execute what appears to be legitimate PoC code unknowingly install a backdoor capable of data theft, command execution, and further payload delivery. The attack chain begins with a tampered requirements.txt file, which silently installs an additional malicious dependency during installation. This triggers a multi-stage infection process, including a compiled native Python extension (gradient.so on Linux or gradient.pyd on Windows) loaded directly into memory to evade detection.

The malware employs anti-debugging checks, scanning for hardware breakpoints and remote debuggers before proceeding. It then searches the victim’s system for common exploit filenames (e.g., exploit.py, EXPLOIT_POC.py) using a hashing routine. If a match is found, a hidden downloader (choco.py) retrieves the final RAT payload from a dead-drop command-and-control (C2) server.

To avoid traditional detection methods, the attackers abuse the legitimate Mapbox Datasets API as a C2 channel, blending malicious traffic with normal web requests. The malware also uses DNS-over-HTTPS resolvers (dns.alidns.com, cloudflare-dns.com) to obscure its communications. Once active, the Python RAT can execute shell commands, steal files, harvest browser data, and gather system information. Some strings within the malware suggest Spanish-speaking developers, though the campaign targets researchers globally.

Sekoia analysts identified the campaign after tracing multiple waves of infected repositories and packages to a shared infrastructure. The group’s persistence and evolving lures indicate a deliberate, long-term strategy to compromise security researchers a high-value target due to their access to unpublished exploits and sensitive research data. The attack exploits the trust within the open-source research community, where disabling security tools during testing makes researchers particularly vulnerable.

Indicators of compromise (IoCs) include the abused api.mapbox[.]com domain, malicious PyPI package skytext, and compromised email accounts (leechuung@mail.com, faberhung@mail.com) used to distribute the trojanized code. The campaign highlights the growing threat of supply-chain attacks within the cybersecurity research ecosystem.

Source: https://cybersecuritynews.com/hackers-use-mapbox-dead-drop-c2/

GitHub cybersecurity rating report: https://www.rankiteo.com/company/github

PyPI cybersecurity rating report: https://www.rankiteo.com/company/pypi

"id": "GITPYP1783002615",
"linkid": "github, pypi",
"type": "Cyber Attack",
"date": "1/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Cybersecurity Research',
                        'location': 'Global',
                        'type': 'Security Researchers'}],
 'attack_vector': ['Poisoned GitHub repositories',
                   'Malicious Python packages on PyPI'],
 'data_breach': {'data_exfiltration': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Exploit code',
                                              'System information',
                                              'Browser data',
                                              'Files']},
 'description': 'Security researchers have uncovered *ChocoPoC*, a '
                'long-running cyber campaign that weaponizes trusted '
                'proof-of-concept (PoC) exploits to deploy a Python-based '
                'remote access trojan (RAT) against vulnerability researchers. '
                'Active since at least 2023, the operation leverages poisoned '
                'GitHub repositories and malicious Python packages on PyPI to '
                'distribute backdoored exploit code. Victims who download and '
                'execute what appears to be legitimate PoC code unknowingly '
                'install a backdoor capable of data theft, command execution, '
                'and further payload delivery.',
 'impact': {'data_compromised': ['Exploit code',
                                 'System information',
                                 'Browser data',
                                 'Files'],
            'operational_impact': 'Potential theft of unpublished exploits and '
                                  'sensitive research data',
            'systems_affected': ['Systems of security researchers']},
 'initial_access_broker': {'backdoors_established': True,
                           'entry_point': ['Poisoned GitHub repositories',
                                           'Malicious Python packages on PyPI'],
                           'high_value_targets': 'Security researchers'},
 'lessons_learned': 'The attack exploits the trust within the open-source '
                    'research community, where disabling security tools during '
                    'testing makes researchers particularly vulnerable. '
                    'Highlights the growing threat of supply-chain attacks '
                    'within the cybersecurity research ecosystem.',
 'motivation': 'Compromise security researchers to access unpublished exploits '
               'and sensitive research data',
 'post_incident_analysis': {'root_causes': ['Trust in open-source PoC code',
                                            'Disabling security tools during '
                                            'testing']},
 'references': [{'source': 'Sekoia analysts'}],
 'response': {'third_party_assistance': 'Sekoia analysts'},
 'title': 'ChocoPoC Campaign Targets Security Researchers with Trojanized '
          'Exploit Code',
 'type': 'Supply Chain Attack'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.