Three malicious packages in PyPI — the Python Package Index, the official repository for Python software hosting hundreds of thousands of packages downloaded by developers globally — have been caught delivering ZiChatBot malware: a dropper-based backdoor that uses the legitimate team messaging platform Zulip's REST APIs as covert C2 (Command-and-Control — the infrastructure attackers use to send instructions to and receive data from compromised systems) infrastructure. Kaspersky researchers who discovered the campaign noted that the dropper tooling shares 64% code similarity with malware attributed to APT32 (OceanLotus) — a Vietnam-state-linked advanced persistent threat group that has targeted technology companies, governments, and foreign organizations across Southeast Asia, Europe, and North America since at least 2014.
The Malicious Packages
Three PyPI packages delivered the malware before removal:
| Package | Downloads | |———|———–| | uuid32-utils | 1,479 | | colorinal | 614 | | termncolor | 387 |
Total: approximately 2,480 downloads. The packages were uploaded to PyPI in July 2025, impersonating or superficially resembling legitimate Python utilities — uuid generation and terminal color formatting tools are common dependencies that developers might install without scrutiny.
While 2,480 downloads appears modest relative to high-volume supply chain attacks, PyPI download counts routinely understate real-world impact. Automated CI/CD pipelines, dependency resolution, and build environment caching can cause a single project's dependency tree to pull a malicious package thousands of times from a single organization. A package installed once into a shared build container may execute on every build across an entire engineering organization.
How ZiChatBot Works
ZiChatBot is a dropper — malware whose primary function is to unpack or download and execute a second-stage payload, rather than performing malicious activity directly on installation. This staged approach makes initial detection harder: the dropper may appear superficially benign to static analysis tools, while the actual payload arrives later or executes directly in memory.
On Windows: The dropper deploys a file named terminate.dll and establishes persistence via a Windows Registry auto-run entry — a well-documented technique catalogued as MITRE ATT&CK T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys) — that causes the malware to execute automatically each time the user logs into the system.
On Linux: The dropper plants terminate.so at the path /tmp/obsHub/obs-check-update and configures a crontab entry (a Linux scheduled task that runs at specified intervals, configured via the crontab utility) to ensure the malware survives reboots and continues executing persistently.
Once active, ZiChatBot executes shellcode — raw machine-code instructions passed from the C2 server — received through the Zulip API. The malware signals successful task completion by sending a heart emoji response back to the C2 channel, an unusual behavioral indicator that may assist in network traffic analysis and threat hunting.
Zulip as Covert C2 Infrastructure
The most technically distinctive aspect of ZiChatBot is its use of Zulip — a legitimate, open-source team chat platform comparable to Slack or Microsoft Teams — as its command-and-control channel. Rather than connecting to a purpose-built C2 server (which would be a potentially blocklisted IP or suspicious domain), the malware communicates exclusively through Zulip's public REST APIs.
This technique — using legitimate, widely-trusted web services as C2 infrastructure — is increasingly common among sophisticated threat actors for several reasons:
- Traffic to well-known platforms like Zulip, Slack, GitHub, or Google Drive is rarely blocked by enterprise firewalls; blocking it would break legitimate business workflows
- Such traffic blends seamlessly with normal corporate communication patterns
- TLS encryption on the platform's API endpoint prevents deep packet inspection of the command stream
- The C2 infrastructure benefits from the uptime guarantees and redundancy of a commercial platform — the attacker has no server to maintain or defend
Similar C2-over-legitimate-services techniques have been documented in campaigns by APT29 (Cozy Bear) using Slack APIs, by Lazarus Group using GitHub repositories as dead-drop resolvers, and in multiple commodity malware families using Telegram bots as C2 channels. Kaspersky's identification of Zulip adds it to this growing list of abused platforms.
APT32 Attribution and Significance
Kaspersky's analysis found the ZiChatBot dropper shares 64% code similarity with known APT32 (OceanLotus) tooling. APT32 — also tracked as Canvas Cyclone by Microsoft — is a Vietnam-state-aligned threat group active since at least 2014 that has historically targeted foreign government agencies, journalists, human rights organizations, and technology companies. Their intrusion campaigns frequently employ supply chain compromises and developer-targeting techniques to gain access to sensitive organizations through their software dependencies.
A 64% similarity figure indicates shared code or tooling rather than direct copy-paste, and Kaspersky appropriately qualifies the finding as a suggested link rather than confirmed attribution. Possible interpretations include: APT32 is developing new tooling based on existing frameworks, a separate group is leveraging leaked or shared APT32 code, or an unrelated actor is deliberately borrowing tradecraft. Regardless of final attribution, the sophistication of the tooling — multi-platform dropper with Zulip C2, process-specific persistence, shellcode execution — is characteristic of a well-resourced threat actor rather than an amateur operator.
The appearance of APT32-linked tooling in a PyPI campaign is notable. State-linked PyPI attacks have historically been associated primarily with North Korea's Lazarus Group (targeting cryptocurrency developers and financial technology companies). Vietnam-linked APT activity against the developer supply chain represents an expansion of the threat landscape.
Who Is Affected
Developers who installed any of the three packages — uuid32-utils, colorinal, or termncolor — at any point after their July 2025 upload date should treat their development environments as potentially compromised. Organizations using automated dependency management (pip install, requirements.txt, pyproject.toml) that could have pulled these packages transitively as undeclared dependencies are also at risk.
The packages have been removed from PyPI. However, any system that previously installed them retains the dropper binary and the persistence mechanism until it is explicitly removed.
What You Should Do Right Now
- Scan for installed packages on development workstations and CI/CD build environments:
pip list | grep -E "uuid32-utils|colorinal|termncolor"
Uninstall any matches immediately:
pip uninstall uuid32-utils colorinal termncolor -y
- Hunt for persistence artifacts.
On Windows: check the Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\...\Run keys for unexpected entries; search for terminate.dll on the filesystem. On Linux: run crontab -l and inspect /tmp/obsHub/ for terminate.so or the obs-check-update file.
- Review CI/CD build environments — these are the highest-risk targets, as package installation is automated and frequent. Audit which packages were pulled in builds between July 2025 and removal.
- Monitor outbound Zulip API traffic. In security monitoring or network traffic analysis, look for unexpected
POSTrequests to Zulip API endpoints (api/v1/messages,api/v1/events) from non-collaboration workloads or from CI/CD infrastructure.
- Enforce dependency pinning and hash verification. Tools like
pip-audit,pip-compile(pip-tools), and private PyPI mirrors allow organizations to verify packages against known-good cryptographic hashes before installation. Private mirrors can be vetted before packages are made available to developers.
- Report to Kaspersky or your security vendor's incident response team if active shellcode execution is suspected — early-stage dropper presence may mean a further-stage payload has not yet been delivered.
Background: APT Campaigns in Developer Package Registries
The PyPI ecosystem has become a significant vector for malware delivery since at least 2021. The low barrier to package publication, combined with automatic dependency resolution in modern development tooling, creates an attractive delivery mechanism for threat actors who want to reach developer environments specifically. Notable prior campaigns include:
- Lazarus Group (DPRK) distributing npm and PyPI packages targeting cryptocurrency developers through fake job interviews in 2024 and 2025
- Multiple infostealer families delivered through typosquatted packages (names differing from legitimate packages by one character)
- Dependency confusion attacks targeting package names used internally by specific organizations
The ZiChatBot campaign's APT32 attribution — if confirmed — would represent a meaningful escalation: a Southeast Asian state-sponsored group actively targeting the global Python developer supply chain with sophisticated, cross-platform tooling designed to evade detection through legitimate-service C2 abuse.
Conclusion
The ZiChatBot campaign demonstrates that sophisticated, APT-linked malware is being delivered through the PyPI supply chain. If your development environment installed uuid32-utils, colorinal, or termncolor after July 2025, audit for persistence artifacts immediately and treat affected systems as compromised until verified clean.
For any query contact us at contact@cipherssecurity.com
