'ZiChatBot' Malware Delivered via PyPI Abuses Zulip Chat APIs for Command and Control, OceanLotus APT Suspected
Malicious PyPI Packages Use Zulip Chat App for C2 to Deploy 'ZiChatBot' Malware
Related Entities
Threat Actors
Organizations
Products & Tech
Other
Full Report
Executive Summary
Security researchers have identified a software supply chain attack involving three malicious packages hosted on the Python Package Index (PyPI). The packages, named uuid32-utils, colorinal, and termncolor, were designed to deliver a previously unknown malware family dubbed ZiChatBot to developer systems running Windows and Linux. The malware employs a novel and stealthy technique for command-and-control (C2), abusing the REST APIs of the legitimate team chat application Zulip to receive commands and exfiltrate data. This method allows the C2 traffic to masquerade as legitimate API calls, making it difficult to detect. The campaign, which was active in July 2025, is suspected to be the work of the OceanLotus APT group, indicating a potential expansion of their TTPs to include supply chain compromises.
Threat Overview
The attack relies on typosquatting and dependency confusion within the PyPI ecosystem. The threat actor published three packages:
uuid32-utils: A malicious package directly containing the payload.colorinal: Another malicious package containing the payload.termncolor: A seemingly benign package that lists the maliciouscolorinalpackage as a dependency, effectively hiding the malicious code one level deep.
When a developer installs one of these packages, a setup script executes that drops and runs the ZiChatBot malware. The malware's most distinctive feature is its C2 mechanism. Instead of connecting to a traditional C2 server, it communicates with a specific organization on the public Zulip chat service. It uses Zulip's legitimate REST APIs to post messages (exfiltrate data) and read messages (receive commands), blending its malicious communications with normal SaaS traffic.
On Windows systems, the infection chain is more complex, involving a DLL dropper (terminate.dll) that installs ZiChatBot, establishes persistence via a Windows Registry entry, and then deletes the original dropper to cover its tracks.
Technical Analysis
Based on analysis with the Kaspersky Threat Attribution Engine (KTAE), the campaign is attributed with medium-to-high confidence to the OceanLotus APT group (also known as APT32 or SeaLotus). If this attribution is correct, it marks a significant tactical shift for the group, which has historically relied on spear-phishing for initial access.
The attack chain maps to the following MITRE ATT&CK techniques:
- Initial Access:
T1189 - Drive-by Compromise: While not a traditional drive-by, compromising a software repository fits this category. A more specific sub-technique could be considered supply chain compromise. - Execution:
T1059.006 - Python: The malware is executed via thesetup.pyscript during package installation withpip. - Persistence:
T1547.001 - Registry Run Keys / Startup Folder: On Windows, the malware adds a registry entry to ensure it runs on system startup. - Defense Evasion:
T1027 - Obfuscated Files or Information: The use of a benign package with a malicious dependency is a form of obfuscation. - Command and Control:
T1102.002 - Bidirectional Communication: The malware uses a legitimate web service (Zulip) for C2, a technique known as Command and Control Through Web Service.
Impact Assessment
Although no active infections were observed in the wild due to the swift takedown of the packages, the potential impact of this campaign is significant. By compromising the software supply chain, the attackers could have gained initial access to developer workstations within numerous organizations. This type of access is highly valuable, as developers often have privileged access to source code repositories, build systems, and production environments. A successful breach could lead to intellectual property theft, injection of malicious code into legitimate software (a secondary supply chain attack), or lateral movement into sensitive corporate networks. The use of a legitimate chat application for C2 makes detection extremely challenging for organizations that do not perform deep packet inspection or closely monitor API traffic to third-party services.
IOCs — Directly from Articles
No traditional IOCs like IP addresses or domains were provided, as the C2 mechanism relied on a legitimate service.
file_nameuuid32-utilsfile_namecolorinalfile_nametermncolorfile_nameterminate.dllCyber Observables — Hunting Hints
Security teams can hunt for signs of this or similar attacks using the following methods:
log_sourcePyPI download logsuuid32-utils, colorinal, termncolor.network_traffic_patternapi.zulip.com from unexpected sourcescommand_line_patternpip install uuid32-utilsregistry_keyHKCU\Software\Microsoft\Windows\CurrentVersion\RunDetection & Response
- Dependency Scanning: Integrate automated security scanning into the CI/CD pipeline to check for malicious or vulnerable dependencies before they are incorporated into a project. Tools like
pip-auditcan help identify known malicious packages. This relates to D3FEND'sD3-SCA - Software Component Analysis. - Egress Traffic Analysis: For C2 detection, focus on
D3-NTA - Network Traffic Analysisof traffic to legitimate cloud services like Zulip. Baseline normal API usage and alert on anomalies, such as a server that has never used Zulip before suddenly sending a high volume of API requests. - Endpoint Monitoring: Use an EDR to monitor for suspicious behavior during package installation, such as
piporsetup.pywriting new executables to disk or creating persistence mechanisms in the registry. - Response: If a malicious package is detected, immediately isolate the affected host. Revoke all credentials and secrets stored on the machine. Investigate developer activity to determine the extent of the compromise and check source code repositories for any unauthorized modifications.
Mitigation
Preventing supply chain attacks requires a defense-in-depth strategy.
- Curated Repositories: Whenever possible, use a private, internal package repository (like JFrog Artifactory or Sonatype Nexus) that mirrors and vets packages from public sources like PyPI. This implements a form of
M1037 - Filter Network Trafficat the application layer. - Developer Training: Educate developers on the risks of supply chain attacks, including typosquatting and dependency confusion. Encourage careful vetting of new dependencies. This is a specific application of
M1017 - User Training. - Principle of Least Privilege: Ensure that developer accounts and CI/CD systems do not have excessive permissions. Build processes should run in isolated, ephemeral environments with limited network access. This aligns with
M1026 - Privileged Account Management. - Code Signing: Enforce policies that require dependencies to be signed, although this is not a foolproof solution as attackers can sometimes sign their malicious packages. This is part of
M1045 - Code Signing.
Timeline of Events
MITRE ATT&CK Mitigations
Filter Network Traffic
Use internal package repositories to vet and control which third-party packages can be introduced into the environment.
User Training
Educate developers on the risks of software supply chain attacks and best practices for vetting third-party dependencies.
Run build processes in isolated, ephemeral environments with limited permissions and network access to contain the impact of a compromised dependency.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
To combat supply chain attacks like the one delivering ZiChatBot, organizations must implement robust Software Component Analysis (SCA) within their CI/CD pipelines. This involves using automated tools (e.g., Snyk, Dependabot, pip-audit) to scan project dependencies against databases of known vulnerabilities and malicious packages. For this specific threat, SCA tools should be configured to flag the malicious packages uuid32-utils and colorinal. More importantly, these tools can generate a Software Bill of Materials (SBOM) for every build, providing a complete inventory of all direct and transitive dependencies. This inventory is crucial for incident response, allowing security teams to quickly identify all projects affected by a newly discovered malicious package. By integrating SCA early in the development lifecycle ('shifting left'), organizations can prevent malicious code from ever being deployed to production.
Given ZiChatBot's use of Zulip's APIs for C2, Network Traffic Analysis (NTA) is a critical detection countermeasure. Security teams should deploy NTA solutions or leverage CASBs to monitor and baseline all API traffic to legitimate SaaS platforms like Zulip. The key is to identify anomalies. For instance, a build server or a developer's workstation that has no legitimate business reason to communicate with Zulip suddenly initiating API calls to api.zulip.com should trigger a high-priority alert. Further analysis can inspect the volume, frequency, and nature of the API calls. Exfiltration of large amounts of data or periodic, beacon-like 'check-in' requests are highly suspicious. This technique allows for the detection of the C2 channel even when the traffic is encrypted and directed at a legitimate service, bypassing simple domain-based blocklists.
On developer workstations and critical servers, implement application control using executable allowlisting. This defense-in-depth measure can prevent the execution of the malicious payload even if it is successfully downloaded. In the context of the ZiChatBot attack, an allowlisting policy would prevent the setup.py script from dropping and executing an unknown DLL (terminate.dll) or any other unauthorized binary. While managing allowlists in a dynamic development environment can be challenging, modern tools allow for more flexible policies, such as allowing any executable signed by a trusted publisher or residing in a specific, controlled folder. This forces attackers to find ways to bypass the policy, significantly raising the complexity of their attack and providing another layer of defense against supply chain compromises.
Timeline of Events
Malicious packages began to be uploaded to PyPI between July 16 and July 22, 2025.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.