{"id":240767,"date":"2026-05-07T05:20:00","date_gmt":"2026-05-07T09:20:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/07\/pypi-packages-deliver-zichatbot-malware-via-zulip-apis-on-windows-and-linux\/"},"modified":"2026-05-07T05:30:08","modified_gmt":"2026-05-07T09:30:08","slug":"pypi-packages-deliver-zichatbot-malware-via-zulip-apis-on-windows-and-linux","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/07\/pypi-packages-deliver-zichatbot-malware-via-zulip-apis-on-windows-and-linux\/","title":{"rendered":"PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/pypi-packages-deliver-zichatbot-malware.html\">PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/pypi-packages-deliver-zichatbot-malware.html\">https:\/\/thehackernews.com\/2026\/05\/pypi-packages-deliver-zichatbot-malware.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-07 05:20:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">May 07, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ Threat Intelligence<\/span><\/p>\n<p>Cybersecurity researchers have discovered three packages on the Python Package Index (PyPI) repository that are designed to stealthily deliver a previously unknown malware family called\u00a0ZiChatBot on Windows and Linux systems.<\/p>\n<p>&#8220;While these wheel packages do implement the features described on their PyPI web pages, their true purpose is to covertly deliver malicious files,&#8221; Kaspersky\u00a0said. &#8220;Unlike traditional malware, ZiChatBot does not communicate with a dedicated command-and-control (C2) server, but instead uses a series of REST APIs from the public team chat app Zulip as its C2 infrastructure.&#8221;<\/p>\n<p>The activity has been described as a &#8220;carefully planned and executed PyPI supply chain attack&#8221; by the Russian cybersecurity company. The names of the packages, which have since been taken down, are listed below &#8211;<\/p>\n<ul>\n<li>uuid32-utils (1,479 downloads)<\/li>\n<li>colorinal (614 downloads)<\/li>\n<li>termncolor (387 downloads)<\/li>\n<\/ul>\n<p>All three packages were uploaded to PyPI during a short window between July 16 and 22, 2025. While uuid32-utils and colorinal make use of similar malicious payloads, termncolor is a benign-looking package that lists colorinal as a dependency.<\/p>\n<p>On Windows systems, once any of the first two packages is installed, the malicious code extracts a DLL dropper (&#8220;terminate.dll&#8221;) and write it to disk. At the time the library is imported into a project, the DLL is loaded, acting as a dropper for ZiChatBot, after which it establishes an auto-run entry in the Windows Registry, and runs code to delete itself from the host.<\/p>\n<p>The Linux version of the shared object dropper (&#8220;terminate.so&#8221;) plants the malware in the &#8220;\/tmp\/obsHub\/obs-check-update&#8221; path and configures a crontab entry. Regardless of the operating system it&#8217;s running on, ZiChatBot is designed to execute shellcode received from its C2 server. After executing the command, the malware sends a heart emoji as a response to signal the server that the operation was&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/pypi-packages-deliver-zichatbot-malware.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux https:\/\/thehackernews.com\/2026\/05\/pypi-packages-deliver-zichatbot-malware.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":240769,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhGun7lMQJXWH3IQiR3ml3RMzAbb1QJcWEtgqDrKTjPbvBhTsDPaCWmI1vTAnevTVPx0lg4xvPkOcpx_86_Znxdgpj-hynQXGEHqf94dvYwOy5VqqnqBWEWrJ3MEkQcLVBVt00Y8pUqVWj4W-hYYepmDmtX9PRQh87qZC7XbJCwdEaLsBY-vTsbkS0yqikd\/s1600\/pypi.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,32],"class_list":["post-240767","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240767"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=240767"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240767\/revisions"}],"predecessor-version":[{"id":240771,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240767\/revisions\/240771"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/240769"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=240767"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=240767"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=240767"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}