Skip to content
Malware

Hackers Use Mapbox Dead-Drop C2 and Python RAT to Target Vulnerability Researchers

Security researchers have uncovered a long-running campaign that turns trusted proof-of-concept exploits into weapons against the very people who study vulnerabilities for a living. The operation, tracked under the name ChocoPoC, hides a fully functional Python remote access trojan inside trojanised...

· Jul 02, 2026 · 5 min read · 👁 0 views
Hackers Use Mapbox Dead-Drop C2 and Python RAT to Target Vulnerability Researchers

Security researchers have uncovered a long-running campaign that turns trusted proof-of-concept exploits into weapons against the very people who study vulnerabilities for a living.

The operation, tracked under the name ChocoPoC, hides a fully functional Python remote access trojan inside trojanised exploit code shared on GitHub and PyPI.

Victims who download and run what looks like a normal PoC unknowingly install a backdoor capable of stealing data and executing further commands.

The attackers rely on a mix of poisoned GitHub repositories and malicious Python packages to reach their targets. Fake exploit code often ships with a tampered requirements.txt file that quietly installs an extra dependency during a routine pip install.

That single step triggers a chain involving a compiled native extension, anti-debugging checks, and a hidden downloader that fetches the final payload from the internet.

GitHub issue that share the infected PoC repo (Source – Sekoia)

Analysts at Sekoia identified the campaign after tracing repeated waves of infected repositories and malicious packages back to a shared infrastructure and coding style.

Their investigation found that the group has been active since at least 2023, refining its lures with each new wave rather than abandoning the approach after exposure.

The persistence suggests a deliberate, long-term strategy aimed squarely at the vulnerability research community.

Sekoia said in a report shared with Cyber Security News (CSN) that the campaign shows how attractive security researchers have become as targets, since compromising them can offer early access to unpublished exploits and research data.

Because researchers frequently disable security tools while testing exploits, they make unusually soft targets compared with typical enterprise users.

Hackers Use Mapbox Dead-Drop C2 and Python RAT

The infection begins the moment a victim installs a rigged package, which quietly drops a native extension file such as gradient.so on Linux or gradient.pyd on Windows.

This file is loaded directly into memory using Python’s own extension-loading mechanism, so it never touches disk as a separate suspicious binary.

Once active, the code performs anti-debugging checks, looking for hardware breakpoints and testing for a remote debugger before continuing.

ChocoPoC infection chain (Source - Sekoia)
ChocoPoC infection chain (Source – Sekoia)

This figure, referenced in the source material as Figure2, illustrates the ChocoPoC infection chain from tainted PoC to final payload.

A hashing routine then scans the researcher’s own files, comparing them against known exploit filenames like exploit.py or EXPLOIT_POC.py.

shown in Figure3 as the hashing algorithm used for this matching step.

If a match is found, a hidden Python launcher named choco.py drops onto the system and prepares to fetch the actual remote access trojan.

Mapbox Dead Drop And Data Theft

Instead of contacting a traditional server, the downloader reaches out to the Mapbox Datasets API, a legitimate mapping service, and pulls its next set of instructions from a stored dataset property.

This dead-drop trick lets malicious traffic blend in with normal web requests to a well-known cloud platform, making it harder for defenders to flag as suspicious.

To resolve the Mapbox address without exposing typical DNS traffic, the malware uses DNS-over-HTTPS resolvers rather than a system’s usual name servers.

Once connected, the resulting Python RAT can run shell commands, execute additional Python code, browse and steal files, harvest saved browser data, and gather basic system details such as network configuration and running processes.

Sekoia also found that the RAT includes a delay command that pauses activity, letting operators avoid detection during quiet periods between campaigns.

Some strings inside the malware appear in Spanish, hinting at the developer’s background even though the targeting itself spans a broad, international pool of researchers.

The report recommends that anyone downloading proof-of-concept code review it carefully before execution, avoid installing packages from unfamiliar or newly created repositories, and treat unexpected native extensions with suspicion.

Running suspicious exploit code inside an isolated sandbox rather than a primary research machine is also advised, since it limits what an attacker can reach if the code turns out to be malicious.

Because the campaign leans on trust within the open research community, ongoing vigilance and cross-checking of PoC sources remain the most practical defense available right now.

Indicators of Compromise (IoCs):-

TypeIndicatorDescription
Domainapi.mapbox[.]comAbused legitimate Mapbox API used as dead-drop C2 channel
Domaindns.alidns[.]comDNS-over-HTTPS resolver used to resolve C2 domain covertly
Domaincloudflare-dns[.]comDNS-over-HTTPS resolver used to resolve C2 domain covertly
File Namegradient.so / gradient.pydMalicious native Python extension implant loaded via PyInit_gradient
File Namechoco.pyChocoPoC downloader script that fetches the Python RAT
PyPI PackageskytextMalicious PyPI package used to distribute the trojanised dependency
File NameEXPLOIT_POC.py / exploit.py / exploit_poc.pyLure exploit filenames targeted by the hashing routine
Email Accountleechuung@mail.comCompromised account used to publish malicious PyPI packages
Email Accountfaberhung@mail.comCompromised account used to publish malicious PyPI packages
URLhxxps://api.mapbox[.]com/datasetsEndpoint queried to retrieve dead-drop C2 instructions

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Source: CybersecurityNews.com

Follow ShomoySoft for more: Follow on Facebook

💬 Comments (0)

Login to join the discussion.

No comments yet. Be the first!

Recommended for you