{"id":210153,"date":"2026-05-07T05:20:00","date_gmt":"2026-05-07T09:20:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/07\/pypi-packages-deliver-zichatbot-malware-via-zulip-apis-on-windows-and-linux\/"},"modified":"2026-05-07T08:15:11","modified_gmt":"2026-05-07T12:15:11","slug":"pypi-packages-deliver-zichatbot-malware-via-zulip-apis-on-windows-and-linux","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/07\/pypi-packages-deliver-zichatbot-malware-via-zulip-apis-on-windows-and-linux\/","title":{"rendered":"PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/pypi-packages-deliver-zichatbot-malware.html\">PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/pypi-packages-deliver-zichatbot-malware.html\">https:\/\/thehackernews.com\/2026\/05\/pypi-packages-deliver-zichatbot-malware.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-07 05:20:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue804Ravie Lakshmanan\ue802May 07, 2026Malware \/ Threat Intelligence<br \/>\nCybersecurity researchers have discovered three packages on the Python Package Index (PyPI) repository that are designed to stealthily deliver a previously unknown malware family called\u00a0ZiChatBot on Windows and Linux systems.<br \/>\n&#8220;While these wheel packages do implement the features described on their PyPI web pages, their true purpose is to covertly deliver malicious files,&#8221; Kaspersky\u00a0said. &#8220;Unlike traditional malware, ZiChatBot does not communicate with a dedicated command-and-control (C2) server, but instead uses a series of REST APIs from the public team chat app Zulip as its C2 infrastructure.&#8221;<br \/>\nThe activity has been described as a &#8220;carefully planned and executed PyPI supply chain attack&#8221; by the Russian cybersecurity company. The names of the packages, which have since been taken down, are listed below &#8211;<\/p>\n<p>uuid32-utils (1,479 downloads)<br \/>\ncolorinal (614 downloads)<br \/>\ntermncolor (387 downloads)<\/p>\n<p>All three packages were uploaded to PyPI during a short window between July 16 and 22, 2025. While uuid32-utils and colorinal make use of similar malicious payloads, termncolor is a benign-looking package that lists colorinal as a dependency.<\/p>\n<p>On Windows systems, once any of the first two packages is installed, the malicious code extracts a DLL dropper (&#8220;terminate.dll&#8221;) and write it to disk. At the time the library is imported into a project, the DLL is loaded, acting as a dropper for ZiChatBot, after which it establishes an auto-run entry in the Windows Registry, and runs code to delete itself from the host.<br \/>\nThe Linux version of the shared object dropper (&#8220;terminate.so&#8221;) plants the malware in the &#8220;\/tmp\/obsHub\/obs-check-update&#8221; path and configures a crontab entry. Regardless of the operating system it&#8217;s running on, ZiChatBot is designed to execute shellcode received from its C2 server. After executing the command, the malware sends a heart emoji as a response to signal the server that the operation was successful.<br \/>\nExactly who is behind the campaign is not clear. However, Kaspersky said the dropper shares a &#8220;64% similarity&#8221; to another dropper used by a Vietnam-aligned hacking group named OceanLotus (aka APT32).<br \/>\nIn late 2024, the threat actor was observed targeting the Chinese cybersecurity community with poisoned Visual Studio Code projects masquerading as Cobalt Strike plugins to deliver a trojan that&#8217;s executed automatically when the project is compiled. The malware uses the Notion note-taking service as C2, per an analysis from ThreatBook.<br \/>\nKaspersky pointed out that if the PyPI supply chain campaign is indeed the work of OceanLotus, it represents the threat actor&#8217;s strategy to expand its targeting scope.<br \/>\n&#8220;Although phishing emails are still a common initial infection method for OceanLotus, the group is also actively exploring new ways to compromise victims through diverse supply chain attacks,&#8221; it said.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux https:\/\/thehackernews.com\/2026\/05\/pypi-packages-deliver-zichatbot-malware.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":210154,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhGun7lMQJXWH3IQiR3ml3RMzAbb1QJcWEtgqDrKTjPbvBhTsDPaCWmI1vTAnevTVPx0lg4xvPkOcpx_86_Znxdgpj-hynQXGEHqf94dvYwOy5VqqnqBWEWrJ3MEkQcLVBVt00Y8pUqVWj4W-hYYepmDmtX9PRQh87qZC7XbJCwdEaLsBY-vTsbkS0yqikd\/s1600\/pypi.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,25,34],"class_list":["post-210153","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210153"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=210153"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210153\/revisions"}],"predecessor-version":[{"id":210155,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210153\/revisions\/210155"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/210154"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=210153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=210153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=210153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}