Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
MalwareExploits 7 CVEs

ChocoPoC

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

EXPLOITED CVES

Vulnerabilities exploited

7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

7 CVES
CVE-2025-64446Fortinet FortiWeb Relative Path Traversal Leading to Unauthenticated Administrative Command Execution

Sekoia has identified at least seven PoC repositories on GitHub that distribute ChocoPoC and host exploits for FortiWeb (CVE-2025-64446) | Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.

via bleeping computerbleepingcomputer.com
CVE-2025-55182React2Shell RCE in React Server Components Flight Protocol

Sekoia has identified at least seven PoC repositories on GitHub that distribute ChocoPoC and host exploits for ... React2Shell (CVE-2025-55182) | Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.

via bleeping computerbleepingcomputer.com
CVE-2026-50751Check Point IKEv1 Remote Access VPN Authentication Bypass

Sekoia has identified at least seven PoC repositories on GitHub that distribute ChocoPoC and host exploits for ... Check Point VPN (CVE-2026-50751) | Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.

via bleeping computerbleepingcomputer.com
CVE-2025-14847MongoBleed

Sekoia has identified at least seven PoC repositories on GitHub that distribute ChocoPoC and host exploits for ... MongoBleed (CVE-2025-14847) | Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.

via bleeping computerbleepingcomputer.com
CVE-2026-48908Unauthenticated Arbitrary File Upload RCE in JoomShaper SP Page Builder

Sekoia has identified at least seven PoC repositories on GitHub that distribute ChocoPoC and host exploits for ... Joomla SP Page Builder (CVE-2026-48908). | Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.

via bleeping computerbleepingcomputer.com
CVE-2026-0257Authentication Bypass in Palo Alto PAN-OS GlobalProtect

Sekoia has identified at least seven PoC repositories on GitHub that distribute ChocoPoC and host exploits for ... PAN-OS (CVE-2026-0257) | Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.

via bleeping computerbleepingcomputer.com
CVE-2026-10520Ivanti Sentry Pre-Auth OS Command Injection RCE

Sekoia has identified at least seven PoC repositories on GitHub that distribute ChocoPoC and host exploits for ... Ivanti Sentry (CVE-2026-10520) | Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.

via bleeping computerbleepingcomputer.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195Supply Chain CompromiseEvidence1

ChocoPoC stands out for not embedding the malware directly in the exploit file but for adding malicious Python packages to the PoC’s dependency list.

Execution

3 techniques
T1059.004Unix ShellEvidence1

The ChocoPoC RAT has the following capabilities: execute arbitrary shell commands and arbitrary Python code

T1059.006PythonEvidence1

When the PoC executes, the extension runs automatically and decrypts additional embedded Python code that triggers a downloader to retrieve the final payload, ChocoPoC.

T1204.002Malicious FileEvidence1

Once the victim clones a malicious repository, a trojanized package named ‘frint’ is automatically fetched and installed on their systems.

Credential Access

2 techniques
T1539Steal Web Session CookieEvidence1

collect browser passwords, cookies, autofill data, and browsing history

T1555Credentials from Password StoresEvidence1

collect browser passwords, cookies, autofill data, and browsing history

Discovery

2 techniques
T1016System Network Configuration DiscoveryEvidence1

collect network configuration

T1057Process DiscoveryEvidence1

enumerate running processes

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

the extension runs automatically and decrypts additional embedded Python code that triggers a downloader to retrieve the final payload, ChocoPoC, from a Mapbox dataset.

Exfiltration

1 technique
T1567Exfiltration Over Web ServiceEvidence1

Mapbox datasets are also abused for data exfiltration, though larger file uploads are handled separately via an HTTP server.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities7

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.