A new cross-platform malware family, referred to as ZiChatBot, has been identified as exploiting the trusted Python Package Index (PyPI) ecosystem and the Zulip team chat platform to establish a stealthy command-and-control (C2) channel. This alarming discovery underscores the ongoing threats that software development environments face, particularly in the wake of sophisticated supply chain attacks.
During routine threat-hunting activities, cybersecurity analysts detected a series of malicious wheel packages being uploaded to PyPI. These packages initially masqueraded as legitimate utilities, thereby evading scrutiny from unsuspecting developers. The three fraudulent projects identified were named uuid32-utils, colorinal, and termncolor. Each was introduced under different aliases and marketed as libraries designed for UUID generation and terminal color management. This strategic naming choice allowed them to seamlessly blend into the Python ecosystem, potentially compromising numerous development projects.
Although these packages ostensibly provided the advertised functionalities, their nefarious objective was to deliver the ZiChatBot malware through embedded malicious components. The campaign has been active since July 2025, representing a meticulously planned supply chain attack targeting developers on both Windows and Linux platforms via malicious wheel packages. The elaborateness of the operation is evident; the attackers utilized termncolor as a seemingly innocuous wrapper that imports the already malicious colorinal package as a dependency. This tactic obscured its malicious intentions, making termncolor appear harmless while it stealthily introduced compromised libraries into downstream projects during installation.
To maximize their impact, the malicious packages shipped platform-specific wheels for Windows (both x86 and x64) and Linux (x86_64), thereby broadening their potential victim pool across various development environments. By doing so, the attackers ensured that both Windows and Linux users remained susceptible to this sophisticated malware.
In the case of Windows systems, the installation of colorinal-0.1.7-py3-none-win_amd64.whl or uuid32-utils triggered the extraction of a Dynamic Link Library (DLL) dropper named terminate.dll. Once the library is imported, its __init__.py file executes first, immediately loading another script, unicode.py. At this point, the latter’s is_color_supported() function feigns checking terminal capabilities, but in reality, it loads terminate.dll into the Python process. The dropper then invokes its exported function envir using a hard-coded UTF-8 string that serves as the decryption key and initiator for the dropper’s core logic.
Using advanced decryption methods such as AES-CBC, the dropper decodes hidden data to extract the ZiChatBot components, which include vcpktsvr.exe and libcef.dll. These files are subsequently stored within a vcpacket folder located under %LOCALAPPDATA%. Furthermore, the malware achieves persistence by establishing an auto-run entry in the current user’s Run registry key pointing to vcpktsvr.exe. This measure ensures that the malware can survive system reboots, continuing to function without raising suspicion.
To erase any traces of its initial execution, the malware deploys further obfuscation techniques by executing shellcode that identifies terminate.dll, deletes it, and removes any evidence of the malicious script from the installed library folder.
For Linux environments, the behavior mimics the Windows operation, though the dropper is packaged as terminate.so. The ZiChatBot is then placed as a single ELF executable at /tmp/obsHub/obs-check-update, where it sets its permissions and establishes a recurring cron job to execute every five minutes. This strategy enables it to persist without relying on traditional service managers.
One of the most notable characteristics of ZiChatBot is its innovative use of Zulip’s public REST APIs as its command-and-control (C2) channel, which diverges from the conventional use of attacker-controlled domains or virtual private servers (VPS). In Windows, the principal payload is encapsulated in libcef.dll, which is sideloaded by the seemingly legitimate vcpktsvr.exe and features a malicious export called cef_api_mash. This component initiates communications with the C2 channel by authenticating to Zulip using a hardcoded API token sent as an HTTP header within each request to a Zulip organization that is registered under the "helper" workspace.
Running with a minimal command set, ZiChatBot can retrieve shellcode from designated channel-topic pairs within Zulip and execute it within a new thread, acting effectively as a generic remote code loader. One Zulip topic is employed to transmit system information from infected hosts, while another is reserved for fetching the shellcode payload. After executing the shellcode successfully, the bot acknowledges the action by replying with a heart emoji to the original message, ingeniously camouflaging its activities as ordinary chat-bot interactions.
Recent analysis using Kaspersky’s Threat Attribution Engine (KTAE) has indicated that the dropper used by ZiChatBot shares a striking 64% code similarity with a previously documented OceanLotus (APT32) dropper. OceanLotus, known for its strategic targeting of organizations within the Asia-Pacific region, has shown recent interest in extending its operations into the Middle East. The group has a notorious history of exploiting cloud and developer platforms, including prior campaigns that leveraged GitHub repositories for malicious purposes. Although attributing the malware to a specific group is approached cautiously, the technical overlaps strongly imply that ZiChatBot is likely part of OceanLotus’s ongoing initiative to diversify its supply chain and cloud-service-focused attack strategies.
The malicious PyPI packages have since been expunged, and the attacker’s “helper” Zulip organization has been deactivated, but the risk persists as previously compromised systems may still attempt to establish connections. Cybersecurity professionals are advised to block access to helper.zulipchat.com, extensively audit their environments for the identified package names and installation artifacts (such as vcpacket, vcpktsvr.exe, and /tmp/obsHub/obs-check-update), and fortify their defenses surrounding third-party Python dependencies to mitigate future attacks.