Listen to this Post

Introduction:
In late June 2026, YesWeHack’s vulnerability intelligence team published an analysis of a critical unauthenticated RCE flaw in the Joomla JCE extension (CVE-2026-48907), including a proof-of-concept (PoC) and a Nuclei template. Within days, an attacker leveraged that very research to launch a sophisticated social‑engineering campaign. Posing as a contributor, they submitted two supposed PoCs for a related Joomla vulnerability—one of which contained a previously undocumented, fully functional Python RAT dubbed “ChocoPoC”. This incident underscores a dangerous truth: the urgency to weaponize fresh vulnerabilities is now being actively exploited to compromise the very researchers tasked with defending against them.
Learning Objectives:
- Understand the complete infection chain of the ChocoPoC malware, from dependency confusion to Mapbox dead‑drop C2.
- Learn how to safely review and detonate third‑party PoCs using sandboxing, static analysis, and behavioral monitoring.
- Master the technical indicators, YARA rules, and defensive commands to detect and block ChocoPoC across Linux and Windows environments.
You Should Know:
- The Joomla JCE Flaw and the Weaponized PoC
The campaign began with CVE-2026-48907, a critical unauthenticated remote code execution vulnerability in the Joomla JCE (Joomla Content Editor) extension versions below 2.9.99.5. The flaw allows unauthenticated attackers to create new editor profiles and upload arbitrary PHP files, leading to full server compromise. Shortly after YesWeHack published a Nuclei template for this vulnerability, a GitHub user named “ogenich”—whose account was only two weeks old—submitted two PoCs for CVE-2026-48908, a separate but equally critical RCE in the SP Page Builder component for Joomla.
The second PoC repository (now deleted) contained a `requirements.txt` file that included an unfamiliar PyPI package called “frint”. This package depended on another newly published package, “skytext,” which shipped only precompiled native extensions (gradient.so on Linux, `gradient.pyd` on Windows). VirusTotal showed zero detections—but when opened in Ghidra, the binary revealed obfuscated, XOR‑encrypted blobs and PEB‑walking anti‑analysis routines. The attacker had crafted a dependency‑confusion trap: the visible PoC code was benign, while the malicious behavior was buried in transitive dependencies that appeared harmless in isolation.
Step‑by‑step guide to safely review a suspicious PoC:
- Isolate the environment: Use a disposable VM or air‑gapped sandbox (e.g., Cuckoo, FireEye AX) with no network access.
- Inspect dependencies: Before running
pip install -r requirements.txt, list every package and check its PyPI page, download count, and recent release date. Flag packages published within the last 30 days. - Static analysis: Download the package wheel (
pip download --1o-deps <package>) and extract it. Examine any `.so` or `.pyd` files with a disassembler (Ghidra, IDA) for suspicious exports (e.g., `PyInit_` functions that perform API hashing or PEB walking). - Dynamic monitoring: Run the PoC with `strace -f -e trace=file,network,process python exploit.py` on Linux, or Process Monitor on Windows, to observe file writes, network connections, and spawned processes before any malicious code executes.
-
The Infection Chain: From `pip install` to Full RAT
ChocoPoC’s infection chain is a masterclass in evasion. When a victim runs pip install -r requirements.txt:
– The package “frint” is downloaded, which transitively installs “skytext.”
– The native extension (gradient.so or gradient.pyd) is loaded into memory when the PoC Python script executes.
– The `PyInit_gradient` entrypoint decrypts five small Python scripts using a custom algorithm and a unique key.
– One decrypted script acts as a downloader, fetching a second‑stage payload from `api.mapbox[.]com` via a dead‑drop resolver.
– The malware achieves persistence by dropping a trojanised `_distutils_hack` package and malicious `.pth` files into the Python `site-packages` directory, then timestomping them to evade forensic detection.
Linux command to detect suspicious `.pth` files:
find /usr/local/lib/python3./site-packages/ -1ame ".pth" -exec grep -l "<strong>import</strong>('_distutils_hack')" {} \;
Windows PowerShell equivalent:
Get-ChildItem -Path C:\Python3\Lib\site-packages -Filter .pth -Recurse | Select-String "<strong>import</strong>('_distutils_hack')"
The malware also employs environmental key gating: it hashes the basenames of all loaded Python modules and only proceeds if a module matches the hash `0xF4835C9C` (corresponding to EXPLOIT_POC.py). This means the malicious behavior only triggers when the full lure PoC is executed—making sandbox detonation nearly impossible unless the correct filename is used.
3. ChocoPoC’s Stealthy C2 and Data Exfiltration
The ChocoPoC RAT is a fully functional Python information stealer that leverages legitimate Mapbox APIs as a covert command‑and‑control channel. The downloader uses DNS‑over‑HTTPS (DoH) to resolve `api.mapbox[.]com` via public resolvers like `dns.alidns[.]com` and cloudflare-dns[.]com, evading traditional DNS sinks and EDR monitoring. It then employs domain‑fronting: the TLS SNI and Host header are set to api.mapbox[.]com, while the actual connection goes to the resolved IP address, making the traffic blend into legitimate Mapbox API usage.
Once the RAT is fetched from a Mapbox dataset feature, it enters a continuous loop that polls the C2 for encrypted commands. Supported commands include:
– `hola` – System reconnaissance (ipconfig, tasklist, uname, netstat)
– `cmd` – Arbitrary shell command execution
– `python` – Dynamic Python code execution via `exec()`
– `get` – File staging and exfiltration
– `browserdata` – Harvest credentials, cookies, and autofill data from Chrome, Brave, Edge, and Firefox
Linux command to detect DoH traffic:
sudo tcpdump -i any -1 port 443 | grep -E "dns.alidns|cloudflare-dns"
Windows command to check for unusual Python network connections:
netstat -anob | findstr python | findstr ESTABLISHED
4. Indicators of Compromise and YARA Rules
YesWeHack and Sekoia have published a comprehensive set of IoCs:
Malicious PyPI packages (SHA256):
– `skytext` v1.1.0: `093739477cd379adef95126b22758c0e644282d2028dd297328ce856fa111dd06`
– `frint` v0.1.2: `17997e9e0256d0f5d5d21a4852c37f16b338e4bb9c2bec09bdfd822b24aa76b4`
– `slogsec` v1.1.0: `5abd45d6f4a1705dca55d882f017d4768888dce9ad99cea40b3da35c23de5cae`
Malicious binaries:
– `gradient.pyd` (Windows): `40569318e89db751ff3886b2617d990d8a343f0d1d8727b7f978a28129ca36bc`
– `gradient.so` (Linux): `320b29844892e3c59bc6fcb07e701b2b3230a37cb4a13176174e9e294ec6d43e`
Network indicators:
- Stage 3 exfil server: `hxxp://91[.]132[.]163[.]78:8001/assets/static/bundle[.]ext[.]min[.]de5b2bc9[.]js`
– Mapbox dataset URLs (defanged): `hxxps://api.mapbox[.]com/datasets/v1/frankley/…`
YARA rule to detect `gradient.so` / `gradient.pyd`:
rule ChocoPoC_gradient {
meta:
description = "Detects ChocoPoC gradient native extension"
hash = "320b29844892e3c59bc6fcb07e701b2b3230a37cb4a13176174e9e294ec6d43e"
strings:
$peb = "GetThreadContext" ascii wide
$hash = "0x1D4E3" ascii
$xor = "XOR" ascii
condition:
uint16(0) == 0x457f or uint16(0) == 0x5a4d and ($peb or $hash or $xor)
}
5. Defensive Measures and Mitigation
Given that the attack leverages dependency confusion and social engineering, a multi‑layered defense is essential:
For individuals:
- Never run `pip install -r requirements.txt` from an untrusted PoC without reviewing every dependency. Use `pip download –1o-deps` and inspect each package.
- Execute PoCs in isolated, non‑persistent VMs with no access to production credentials or sensitive data.
- Monitor for unexpected `.pth` files and `_distutils_hack` overrides in your Python environment.
For SOC teams:
- Block outbound connections to `api.mapbox[.]com` unless explicitly required for business purposes.
- Deploy network detection rules for DoH queries to `dns.alidns[.]com` and `cloudflare-dns[.]com` originating from non‑authorized hosts.
- Hunt for processes named `python` or `python3` that spawn hidden windows (
CREATE_NO_WINDOWflag on Windows). - Use Sigma rules to detect the creation of `distutils-precedence.pth` and `_distutils_hack/__init__.py` with appended malicious code.
Linux audit command to monitor `.pth` file modifications:
sudo auditctl -w /usr/local/lib/python3./site-packages/ -p wa -k python_pth
Windows Sysmon configuration to log `.pth` writes:
<RuleGroup name="FileCreate" groupRelation="or"> <FileCreate onmatch="include"> <TargetFilename condition="end with">.pth</TargetFilename> </FileCreate> </RuleGroup>
6. The Broader Supply Chain Threat
This is not an isolated incident. At least seven fake CVE PoC repositories have been identified, all employing the same modus operandi. The attacker rotated GitHub, PyPI, and Mapbox accounts across campaigns, using compromised email addresses from Indonesian and Turkish students to publish malicious packages. Download statistics for “skytext” show approximately 2,400 downloads, with spikes that closely follow the disclosure of high‑profile vulnerabilities like React2Shell (CVE-2025-55182), FortiWeb (CVE-2025-64446), and Ivanti Sentry (CVE-2026-10520).
The campaign also targets offensive security tooling: the same RAT was found in a trojanized MongoBleed PoC distributed through the MDUT Extend framework, demonstrating a double supply‑chain attack where compromising a researcher’s workstation can lead to framework‑level infections.
What Undercode Say:
- Key Takeaway 1: The ChocoPoC campaign is a wake‑up call for the vulnerability research community. The same urgency that drives rapid PoC development is now being weaponized against defenders. Always treat third‑party PoCs as potentially hostile, regardless of their source.
- Key Takeaway 2: The use of legitimate cloud services (Mapbox) as C2 infrastructure is a growing trend. Traditional allow‑listing and domain‑based blocking are insufficient; defenders must monitor for anomalous API usage patterns and DoH traffic.
- Key Takeaway 3: The attack chain is remarkably sophisticated—environmental key gating, PEB walking, export hashing, and timestomping are techniques typically seen in advanced persistent threats. This indicates a well‑resourced actor with a deep understanding of both Python internals and Windows/Linux internals.
- Key Takeaway 4: The fact that the malware was nearly undetectable by antivirus and sandboxes (0/60 on VirusTotal at the time) highlights the limitations of signature‑based detection. Behavioral monitoring and human review remain irreplaceable.
- Key Takeaway 5: The attacker’s operational security—using disposable accounts, compromised emails, and rotating infrastructure—makes takedown efforts challenging. The community must adopt a proactive, intelligence‑sharing approach to disrupt such campaigns early.
Prediction:
- -1 The ChocoPoC campaign will likely inspire copycat attacks targeting other PoC ecosystems (e.g., Go, Rust, npm). Dependency confusion is a low‑effort, high‑reward vector that will become increasingly common in 2026–2027.
- -1 The use of legitimate cloud APIs (Mapbox, AWS S3, Azure Blob) as dead‑drop resolvers will accelerate, as they offer free, high‑trust infrastructure that evades traditional C2 detection.
- +1 This incident will drive the development of community‑driven PoC validation frameworks, such as automated dependency sandboxing and crowdsourced reputation systems for PyPI packages.
- -1 Without concerted action, the vulnerability research community may become more insular, slowing down the sharing of critical PoCs and ultimately harming global security.
- +1 However, the collaboration between YesWeHack and Sekoia—and the rapid publication of IoCs—demonstrates that information sharing can effectively counter these threats. The future of defense lies in real‑time threat intelligence and automated detection pipelines.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Two Weeks – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


