Malicious PyPI packages install ZiChatBot via Zulip APIs

Kaspersky researchers found three packages on the Python Package Index uploaded between July 16 and 22, 2025 that were used to deliver a previously unknown malware family named ZiChatBot on Windows and Linux. The packages-uuid32-utils, colorinal and termncolor-were removed after the discovery. Recorded download counts before takedown were 1,479 for uuid32-utils, 614 for colorinal and 387 for termncolor.

The packages included wheel files that dropped native backdoor components and created persistence on infected hosts before fetching and executing shellcode from servers reached through public Zulip REST APIs. The operation used Zulip’s public APIs to exchange commands and responses rather than a dedicated command-and-control server.

On Windows, the malicious wheels extract a DLL called terminate.dll and load it when the library is imported. That DLL acts as a dropper for ZiChatBot, creates an autorun entry in the Windows Registry to maintain persistence and removes installer traces from the host.

On Linux, the native dropper appears as terminate.so, installs the payload under /tmp/obsHub/obs-check-update and adds a crontab entry so the malware runs on schedule.

In both environments ZiChatBot receives shellcode via Zulip-based C2 and executes commands. After running an instruction the malware replies with a heart emoji to signal success.

Kaspersky’s analysis shows uuid32-utils and colorinal carried the malicious payloads. The termncolor package presented as a harmless library but listed colorinal as a dependency, creating a dependency chain that could infect projects importing any of the packages.

Kaspersky wrote: “While these wheel packages do implement the features described on their PyPI web pages, their true purpose is to covertly deliver malicious files. Unlike traditional malware, ZiChatBot does not communicate with a dedicated command-and-control (C2) server, but instead uses a series of REST APIs from the public team chat app Zulip as its C2 infrastructure.”

Attribution is not confirmed. Kaspersky noted the dropper code shares about 64% similarity with a dropper previously linked to OceanLotus, a group also tracked as APT32. Earlier campaigns attributed to that group used poisoned development tools and project files and repurposed collaboration and note-taking services for command-and-control.

PyPI maintainers removed the offending packages after the analysis was published. Security teams tracking the incident advised scanning dependency trees for unfamiliar or newly published packages, verifying package authorship and integrity, restricting automated installs in build systems, and monitoring developer machines and build servers for unusual outbound traffic to collaboration platforms, unexpected scheduled tasks, or registry changes.