Close Menu
Most Read

PyPI Packages Deliver ZiChatBot Malware via Zulip APIs

Staff WriterBy No Comments2 Mins Read4 Views

Quick Takeaways

  1. Cybersecurity researchers discovered malicious Python packages on PyPI that covertly deploy the ZiChatBot malware, which uses public chat APIs instead of traditional C2 servers for command and control.
  2. The malware activates via DLL or shared object droppers on Windows and Linux, planting persistent backdoors and executing shellcode received from its C2 infrastructure.
  3. The campaign is linked to known threat actors like OceanLotus, indicating an expansion of their supply chain attack tactics beyond phishing to include stealthy third-party repository compromises.

Threat, Attack Techniques, and Targets

Cybersecurity researchers found three malicious packages on the Python Package Index (PyPI). These packages are designed to secretly deliver a new malware called ZiChatBot on Windows and Linux systems. The packages were uploaded between July 16 and 22, 2025, and have been taken down from PyPI. The packages include uuid32-utils, colorinal, and termncolor. The first two contain malicious payloads, while termncolor appears to be harmless but depends on colorinal. Attackers use these packages as part of a supply chain attack, hiding malware inside seemingly normal software. Once installed, the malware can extract a DLL or shared object file to infect the device. On Windows, it stores a DLL called “terminate.dll” and creates an auto-run entry in the registry. On Linux, it drops a file in “/tmp/obsHub/obs-check-update” and sets a crontab job. The malware communicates with an external server through REST APIs using a chat app called Zulip. Targets include users on Windows and Linux devices who download these packages, possibly unknowingly helping attackers gain access.

Impact, Security Implications, and Remediation Guidance

The ZiChatBot malware can give hackers control over infected devices. It can execute shellcode sent from its command-and-control (C2) server. On Windows, it loads malicious DLLs and auto-runs at startup. On Linux, it sets up scheduled tasks and places files in specific directories. The malware’s ability to run remote commands means it could steal data, spy on users, or damage systems. This campaign shows an evolving strategy to expand targets and methods. If you suspect infection, it is best to consult the relevant software vendors or cybersecurity authorities for proper remediation guidance. Removing the malicious packages, deleting files, and checking system settings are recommended steps.

Expand Your Tech Knowledge

Stay informed on the revolutionary breakthroughs in Quantum Computing research.

Stay inspired by the vast knowledge available on Wikipedia.

ThreatIntel-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.