Three Malicious PyPI Packages Deliver ZiChatBot Malware via Zulip Command-and-Control

TL;DR Kaspersky identified three poisoned packages on PyPI—uuid32-utils, colorinal, and termncolor—uploaded between July 16 and 22, 2025, that covertly deliver ZiChatBot, a previously unknown malware family. The malware uses Zulip's public REST APIs instead of a traditional command-and-control server. The dropper code shares 64% similarity to malware associated with OceanLotus (APT32), though definitive attribution remains unconfirmed.

What happened

Three Python packages were discovered on the Python Package Index (PyPI) repository that masqueraded as legitimate utility libraries but were designed to deliver ZiChatBot malware to Windows and Linux systems. The packages—uuid32-utils (1,479 downloads), colorinal (614 downloads), and termncolor (387 downloads)—were uploaded during a seven-day window between July 16 and 22, 2025, before being removed.

While uuid32-utils and colorinal shared similar malicious payloads, termncolor functioned as a dependency trap, explicitly listing colorinal as a dependency to propagate the attack chain.

On Windows, installation of either uuid32-utils or colorinal triggers extraction of a DLL dropper named "terminate.dll" to disk. When the library is imported into a project, the DLL is loaded, establishing persistence through a Windows Registry auto-run entry before deleting itself from the host.

On Linux systems, the shared object dropper ("terminate.so") is planted at "/tmp/obsHub/obs-check-update" and configures a crontab entry for persistence.

ZiChatBot's command execution architecture diverges from conventional malware design. Instead of communicating with a dedicated command-and-control server, the malware leverages REST APIs from Zulip, a public team chat application, as its C2 infrastructure. After executing shellcode received from the C2, the malware signals successful completion by sending a heart emoji back to the server.

Kaspersky attributed the campaign as a "carefully planned and executed PyPI supply chain attack." Attribution to a specific threat actor remains uncertain, though the dropper code exhibits 64% similarity to malware previously used by OceanLotus (also known as APT32), a Vietnam-aligned hacking group.

Why it matters

This attack demonstrates a sophisticated supply chain compromise targeting developers through a trusted distribution channel. PyPI receives millions of package installations monthly; an attacker positioning malware in the dependency tree can achieve broad reach with minimal targeting effort.

The use of a public, legitimate service (Zulip) as C2 infrastructure complicates detection. Network-level indicators that flag dedicated C2 domains will not catch this activity. SOC analysts and incident responders must now monitor for anomalous API calls to Zulip services from non-browser processes.

For developers, the attack underscores risks of transitive dependencies. Installing termncolor, which itself appeared benign, automatically pulled in the malicious colorinal package. This chain illustrates how supply chain compromises exploit the implicit trust developers place in dependency resolution.

If attribution to OceanLotus is confirmed, the incident signals a shift in the group's targeting methodology—moving beyond phishing and Visual Studio Code poisoning to exploit Python's package ecosystem at scale.

Affected systems and CVEs

uuid32-utils — malicious PyPI package
colorinal — malicious PyPI package
termncolor — malicious PyPI package (dependency wrapper)
Windows systems — via "terminate.dll" dropper
Linux systems — via "terminate.so" dropper
Zulip — misused for C2 communication via REST APIs

No CVE assigned at the time of publication.

What to do

Remove uuid32-utils, colorinal, and termncolor from all Python environments and CI/CD pipelines immediately.
Audit dependency trees in active projects for transitive inclusions of these packages.
Search system logs and process telemetry for evidence of "terminate.dll" or "terminate.so" loading or execution.
On Windows, check the Registry for auto-run entries created by the dropper and remove them.
On Linux, inspect crontab entries and the "/tmp/obsHub/obs-check-update" path for presence of malicious artifacts.
Review outbound traffic to Zulip APIs (api.zulip.com, tile.zulip.com) from non-browser processes; this is anomalous.
If these packages were installed, assume code execution occurred during package import and treat affected systems as compromised until remediated.

Open questions

Definitive attribution to OceanLotus relies on 64% code similarity; Kaspersky has not established conclusive attribution through other means (infrastructure, command patterns, or targeting).
The total number of systems compromised or the targeting scope of this campaign is not disclosed.
The nature and scope of shellcode delivered by ZiChatBot's C2 channel are not documented.
Whether these packages remain available on PyPI mirrors, alternative repositories, or package caches outside the official PyPI index.
Whether other packages on PyPI were similarly compromised in the same attack window or campaign.