Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory

MUT-1244

Also known asMUT-1244

MUT-1244 is a threat actor tracked in connection with open-source supply chain attacks targeting the cybersecurity community, including security researchers, red teamers, and bug hunters. The actor has used fake proof-of-concept repositories for newly disclosed CVEs and malicious npm packages to steal sensitive data and, in some cases, facilitate cryptocurrency mining. Reported activity includes a campaign in which fake Python PoC repositories on GitHub delivered the ChocoPoC malware through malicious dependencies such as frint and skytext. In that campaign, the visible exploit code appeared benign while a compiled component embedded in the dependency chain activated only when the PoC was run, helping evade simple sandboxing and cursory review. ChocoPoC was described as a full remote access trojan that steals browser credentials, cookies, autofill data, browsing history, text files, notes, local databases, shell history, network settings, and process information, and also enables shell command execution, arbitrary Python execution, folder download, and throttled activity for stealth. The malware used a Mapbox dataset as a dead-drop command channel, resolved infrastructure via DNS-over-HTTPS, used domain fronting to resemble normal Mapbox API traffic, and sent larger uploads to 91.132.163.78. The fake repositories were themed around high-profile vulnerabilities, including FortiWeb path traversal (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS authentication bypass (CVE-2026-0257), Ivanti Sentry command injection (CVE-2026-10520), Check Point VPN authentication bypass (CVE-2026-50751), and Joomla SP Page Builder remote code execution (CVE-2026-48908). Researchers identified at least seven such repositories. Related activity reportedly dates to late 2025, when earlier packages slogsec and logcrypt.cryptography were used with near-identical code. Researchers assessed with high confidence that a single actor operated both phases and noted the operator rotated through GitHub, PyPI, and Mapbox accounts, with several accounts created from leaked or stolen credentials. Separate reporting also attributed malicious npm package activity to MUT-1244. In that activity, packages targeting the cybersecurity community used a dependent package for data theft and cryptocurrency mining, and leveraged legitimate services such as Dropbox for exfiltration. Known alias in the provided content: mut_1244.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics5 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1195
Supply Chain Compromise
T1195.001
Compromise Software Dependencies and Development Tools
TA0007
Discovery
1 technique
T1082
System Information Discovery
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.