ZiChatBot Malware Deployed Through PyPI Supply Chain Attack Using Zulip APIs

Kaspersky researchers identified three malicious packages on the Python Package Index (PyPI) that delivered a previously unknown malware family called ZiChatBot to both Windows and Linux systems. The packages—uuid32-utils (1,479 downloads), colorinal (614 downloads), and termncolor (387 downloads)—were uploaded between July 16 and 22, 2025, accumulating 2,480 total downloads before PyPI removed them. The attack represents a sophisticated supply chain compromise that embedded functional code alongside malicious payloads, making detection significantly harder.

Attack Mechanics and Payload Delivery

The malicious packages implemented their advertised features while covertly delivering malware. Two packages contained direct malicious payloads, while termncolor operated as a dependency trojan, listing colorinal as a requirement. On Windows systems, the installation extracts a DLL dropper (terminate.dll) that loads when the library is imported. The dropper establishes Windows Registry auto-run entries for persistence and self-deletes after deployment. Linux targets receive a shared object dropper (terminate.so) that plants malware in /tmp/obsHub/obs-check-update and configures crontab entries for persistence.

Operational Capabilities and C2 Communication

ZiChatBot's primary function is executing shellcode received from its Zulip-based C2 infrastructure. After successful command execution, the malware sends a heart emoji to signal completion to the server—an unusual but effective status indicator. This abuse of legitimate services for malicious purposes represents a growing trend where attackers exploit trusted platforms to avoid detection. The use of public chat APIs provides attackers with encrypted communications, built-in reliability, and minimal infrastructure overhead while complicating attribution efforts.

Attribution and APT32 Connection

Kaspersky's analysis revealed 64% code similarity between the ZiChatBot dropper and tools previously used by OceanLotus (APT32), a Vietnam-aligned advanced persistent threat group. In late 2024, APT32 targeted Chinese cybersecurity professionals with poisoned Visual Studio Code projects disguised as Cobalt Strike plugins. That campaign used Notion as C2 infrastructure—another legitimate service abuse similar to the Zulip technique. If confirmed as APT32 activity, this PyPI campaign indicates the group is expanding beyond phishing to diversify initial access vectors through supply chain compromise.

Supply Chain Attack Pattern Analysis

This attack demonstrates several hallmarks of sophisticated supply chain compromise. The attackers uploaded packages within a tight six-day window, suggesting coordinated execution. The termncolor package's dependency-chaining approach shows understanding of how developers install related packages. Most critically, embedding functional code alongside malicious payloads delays detection—packages appeared to work as advertised, reducing suspicion. The short upload window between July 16-22, 2025 also minimized exposure to automated scanning systems that might flag newly registered packages.

Detection and Prevention Challenges

Organizations face multiple detection challenges with this attack type. The malware's use of Zulip APIs for C2 creates traffic patterns indistinguishable from legitimate business communications. Traditional C2 detection based on domain reputation or traffic analysis fails when attackers use trusted services. The packages' functional code provided cover during code review, and the cross-platform capability (Windows and Linux) expanded the potential victim pool. Static analysis struggles with compiled components like terminate.dll and terminate.so, requiring dynamic analysis in sandbox environments.

Mitigation Recommendations

Security teams should implement multiple defensive layers for PyPI package consumption. Require dependency scanning with tools that check package age, download velocity, and maintainer reputation before approval. Establish internal package mirrors or registries with vetted components rather than pulling directly from PyPI. Monitor for unusual persistence mechanisms like unexpected Registry modifications or crontab changes during package installation. Implement application whitelisting to prevent unauthorized DLL or shared object loading. Consider network monitoring for legitimate services like Zulip and Notion when they're not part of your approved toolset—this detects C2 abuse of trusted platforms.

• Audit all Python dependencies for the three malicious package names, including transitive dependencies that may have pulled in termncolor via colorinal
• Review Windows Registry auto-run entries and Linux crontab configurations for unauthorized modifications from mid-2025 onward
• Check for terminate.dll in Windows systems and terminate.so or /tmp/obsHub/obs-check-update paths in Linux environments
• Monitor outbound connections to Zulip APIs if Zulip is not an approved communication platform in your environment
• Implement mandatory security review for PyPI packages uploaded within the last 30 days before production use

Strategic Implications

This campaign highlights the maturation of supply chain attacks targeting development infrastructure. With 2,480 downloads achieved in under six months, even moderately distributed malicious packages can establish significant footholds. The potential APT32 involvement signals state-aligned groups are investing resources in developer ecosystem compromise, not just traditional espionage vectors. Organizations must treat dependency management as a critical security control, not merely a development convenience. The cross-platform nature of Python and the global reach of PyPI make these attacks particularly effective for threat actors seeking broad access with minimal infrastructure investment.