ZiChatBot malware delivered via compromised PyPI packages leveraging Zulip APIs as C2
Summary
Hide ▲
Show ▼
Three malicious Python packages uploaded to PyPI between July 16–22, 2025 delivered a previously undocumented malware family, ZiChatBot, on Windows and Linux systems using Zulip REST APIs as a covert command-and-control channel. The attack bypassed traditional C2 infrastructure by abusing public chat platform APIs and exhibited code similarities to a dropper previously attributed to the OceanLotus (APT32) group, suggesting expansion of the actor’s supply chain tactics.
Timeline
-
07.05.2026 12:20 1 articles · 1h ago
ZiChatBot malware delivered via compromised PyPI packages using Zulip APIs as C2
Three malicious Python packages uploaded to PyPI between July 16–22, 2025 delivered ZiChatBot malware on Windows and Linux systems. The malware abuses Zulip REST APIs for command-and-control, writes a DLL or shared object dropper to disk, establishes persistence via Registry or crontab, and executes shellcode received from the C2. Code similarity to a known OceanLotus dropper suggests possible attribution.
Show sources
- PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux — thehackernews.com — 07.05.2026 12:20
Information Snippets
-
Three PyPI packages—uuid32-utils (1,479 downloads), colorinal (614 downloads), and termncolor (387 downloads)—were uploaded between July 16–22, 2025 and removed after discovery.
First reported: 07.05.2026 12:201 source, 1 articleShow sources
- PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux — thehackernews.com — 07.05.2026 12:20
-
ZiChatBot malware uses Zulip REST APIs as its C2 infrastructure instead of dedicated servers, communicating via public team chat endpoints.
First reported: 07.05.2026 12:201 source, 1 articleShow sources
- PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux — thehackernews.com — 07.05.2026 12:20
-
On Windows, the dropper writes terminate.dll to disk and establishes persistence via a Registry auto-run entry before self-deleting after execution.
First reported: 07.05.2026 12:201 source, 1 articleShow sources
- PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux — thehackernews.com — 07.05.2026 12:20
-
On Linux, the dropper (terminate.so) places malware in /tmp/obsHub/obs-check-update and configures a crontab entry for persistence.
First reported: 07.05.2026 12:201 source, 1 articleShow sources
- PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux — thehackernews.com — 07.05.2026 12:20
-
ZiChatBot executes received shellcode, then signals successful operation to the C2 by sending a heart emoji response.
First reported: 07.05.2026 12:201 source, 1 articleShow sources
- PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux — thehackernews.com — 07.05.2026 12:20
-
A 64% code similarity was observed between the dropper and a dropper previously attributed to the Vietnam-aligned OceanLotus (APT32) group, which previously targeted Chinese cybersecurity communities via poisoned Visual Studio Code projects.
First reported: 07.05.2026 12:201 source, 1 articleShow sources
- PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux — thehackernews.com — 07.05.2026 12:20