In a concerning development for software supply chain security, cybersecurity researchers have unearthed a sophisticated malware campaign targeting both Windows and Linux environments through the popular Python Package Index (PyPI) repository. The culprit: a previously unknown malware family dubbed
ZiChatBot, delivered covertly via seemingly innocuous Python packages.
The Deceptive Delivery Mechanism
Kaspersky’s investigation revealed three malicious packages – uuid32-utils, colorinal, and termncolor – which, despite offering described functionalities on their PyPI pages, harbored a far more sinister purpose. These packages, uploaded between July 16 and 22, 2025, were designed to act as stealthy droppers for ZiChatBot.
Zulip APIs: An Unconventional Command-and-Control
What sets ZiChatBot apart from conventional malware is its innovative command-and-control (C2) infrastructure. Instead of relying on dedicated C2 servers, ZiChatBot leverages a series of REST APIs from the public team chat application, Zulip. This unconventional approach makes detection more challenging, as its network traffic might blend in with legitimate Zulip communications.
How ZiChatBot Infiltrates Systems
The attack chain is meticulously crafted for both major operating systems:
Windows Infection
Upon installation of uuid32-utils or colorinal, a malicious DLL dropper named “terminate.dll” is extracted and written to disk. When this library is imported into a project, the DLL loads, deploying ZiChatBot. It then establishes an auto-run entry in the Windows Registry to ensure persistence and self-deletes from the host to cover its tracks.
Linux Infection
For Linux systems, a shared object dropper, “terminate.so,” is utilized. This dropper plants the malware in the /tmp/obsHub/obs-check-update path and configures a crontab entry, ensuring the malware executes regularly and maintains a foothold on the compromised system.
Once active, ZiChatBot is engineered to execute shellcode received from its Zulip-based C2. A successful command execution is signaled back to the C2 server with a simple, yet chilling, heart emoji.
Potential Attribution: The Shadow of OceanLotus (APT32)
While the exact perpetrators remain unconfirmed, Kaspersky has highlighted a significant lead: the ZiChatBot dropper shares a “64% similarity” with a dropper previously employed by OceanLotus, also known as APT32. This Vietnam-aligned hacking group has a history of sophisticated supply chain attacks.
Notably, in late 2024, OceanLotus was observed targeting the Chinese cybersecurity community. In that campaign, they used poisoned Visual Studio Code projects disguised as Cobalt Strike plugins to deliver a trojan that executed automatically upon project compilation. That particular malware also employed an unconventional C2, utilizing the Notion note-taking service, as reported by ThreatBook.
If the PyPI campaign is indeed the work of OceanLotus, it signals a strategic expansion of their targeting methodologies and a growing reliance on diverse supply chain vectors beyond traditional phishing emails.
Strengthening Software Supply Chain Defenses
This incident underscores the critical importance of vigilance within open-source ecosystems like PyPI. Developers and organizations must exercise extreme caution when integrating third-party packages, verifying their authenticity and scrutinizing dependencies. Robust security practices, including code auditing, dependency scanning, and endpoint detection and response, are essential to mitigate the risks posed by such sophisticated supply chain attacks.
For more details, visit our website.
Source: Link
Leave a comment