A new cybersecurity threat has recently been discovered after security researchers found several malicious Python packages on the Python Package Index (PyPI). These fake packages were designed to spread a dangerous malware known as “ZiChatBot” on both Windows and Linux systems. Since PyPI is one of the most trusted platforms for Python developers, the incident has created serious concerns in the cybersecurity community. Experts believe this attack is another example of how hackers are now targeting open-source software platforms to spread malware silently.
Researchers revealed that the attackers uploaded three harmful packages named uuid32-utils, colorinal, and termncolor. These package names were intentionally made to look similar to legitimate Python libraries so that developers would not suspect anything unusual. Many users could have downloaded these packages thinking they were normal development tools. The malicious packages remained available on PyPI for several days before security researchers finally detected and reported them.
The fake packages appeared harmless on the surface, but hidden inside them were malicious files designed to infect systems silently. On Windows systems, the malware used a DLL file called terminate.dll, while Linux systems received a shared object file named terminate.so. These files acted as droppers that installed the final ZiChatBot malware into the victim’s device. The malware installation process happened quietly in the background without showing obvious warning signs to the user.
One of the most unusual parts of this malware campaign was the communication method used by the attackers. Instead of relying on traditional command-and-control servers, the malware used Zulip APIs to communicate with its operators remotely. Zulip is a legitimate team communication platform normally used by organizations for collaboration and messaging. By using a trusted platform, the attackers were able to hide malicious traffic inside normal internet activity, making detection much more difficult for security tools.
After infecting a device, ZiChatBot was capable of executing shellcode commands sent remotely by attackers. Researchers discovered that whenever a task was completed successfully, the malware sent back a heart emoji as a confirmation signal to its operators. This unusual detail helped researchers understand how the malware communicated internally. Security experts say the malware was designed carefully to remain lightweight, hidden, and difficult to detect during normal system operations.
The malware was also designed to stay active even after the infected system restarted. On Windows devices, it created Registry autorun entries that automatically launched the malware during startup. On Linux systems, it created cron jobs to maintain persistence and continue running in the background. These persistence techniques allowed attackers to maintain long-term access to infected systems. Such methods are commonly used in advanced malware campaigns to ensure continuous control over compromised devices.
Researchers suspect that this malware campaign may be connected to the Vietnam-linked hacking group known as OceanLotus or APT32. According to researchers, some parts of the malware showed similarities with tools that had previously been associated with the group. However, no official attribution has been confirmed yet because the investigation is still ongoing. Security experts are continuing to analyze the malware’s behavior and infrastructure to identify the people responsible for the attack.
The incident highlights the growing danger of software supply chain attacks targeting open-source repositories like PyPI. Cybercriminals are increasingly abusing trusted developer platforms because many users install packages quickly without verifying them properly. Security researchers are now advising developers and organizations to carefully inspect third-party libraries before installation and monitor dependencies regularly. The ZiChatBot campaign shows how attackers are becoming smarter and using trusted online services to spread malware in more stealthy and advanced ways.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
