"While these wheel packages do implement the features described on their PyPI web pages, their true purpose is to covertly deliver malicious files. Unlike traditional malware, ZiChatBot does not communicate with a dedicated command-and-control (C2) server, but instead uses a series of REST APIs from the public team chat app Zulip as its C2 infrastructure."
"On Windows systems, once any of the first two packages is installed, the malicious code extracts a DLL dropper ("terminate.dll") and write it to disk. At the time the library is imported into a project, the DLL is loaded, acting as a dropper for ZiChatBot, after which it establishes an auto-run entry in the Windows Registry, and runs code to delete itself from the host."
"The Linux version of the shared object dropper ("terminate.so") plants the malware in the "/tmp/obsHub/obs-check-update" path and configures a crontab entry. Regardless of the operating system it's running on, ZiChatBot is designed to execute shellcode received from its C2 server. After executing the command, the malware sends a heart emoji as a response to signal the server that the operation was successful."
Cybersecurity researchers discovered three packages on PyPI designed to deliver ZiChatBot, a previously unknown malware family targeting Windows and Linux systems. The packages—uuid32-utils, colorinal, and termncolor—were uploaded between July 16-22, 2025, and have been removed. While appearing legitimate, they covertly install malicious droppers. On Windows, the malware extracts a DLL dropper that loads ZiChatBot and establishes persistence through Windows Registry. On Linux, a shared object dropper plants malware in /tmp/obsHub and configures crontab entries. Uniquely, ZiChatBot uses Zulip's public team chat app REST APIs as command-and-control infrastructure rather than dedicated servers, executing shellcode and signaling completion with a heart emoji.
#pypi-supply-chain-attack #zichatbot-malware #zulip-c2-infrastructure #malicious-packages #cross-platform-malware
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]