Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AnyDesk Critical 0-Day Vulnerability Lets Attackers Trigger DoS
July 16, 2026
Next.js Launches Monthly Security Releases, Patches 9 Vulnerabilities
July 16, 2026
SonicWall SMA 1000 Zero-Day Actively Exploited
July 16, 2026
Home/Threats/ZiChatBot Malware Uses Zulip API for Command and Control
Threats

ZiChatBot Malware Uses Zulip API for Command and Control

Key Takeaways A new malware, ZiChatBot, leverages the legitimate Zulip team chat application’s REST APIs for covert command and control (C2), evading traditional network detection. The malware...

David kimber
David kimber
May 8, 2026 4 Min Read
50 0

Key Takeaways

  • A new malware, ZiChatBot, leverages the legitimate Zulip team chat application’s REST APIs for covert command and control (C2), evading traditional network detection.
  • The malware was delivered via a supply chain attack on PyPI, the Python Package Index, through malicious Python packages disguised as common development libraries.
  • ZiChatBot targets both Windows and Linux systems and exhibits a 64% code similarity to droppers previously attributed to the sophisticated APT32 (OceanLotus) group.
  • While the malicious PyPI packages and attacker’s Zulip organization have been deactivated, infected systems may still attempt to connect, requiring thorough cleanup.

Cybersecurity researchers have uncovered a novel malware strain, dubbed ZiChatBot, that employs the REST APIs of the popular team collaboration platform Zulip for its command and control (C2) infrastructure. This innovative approach allows ZiChatBot to blend its malicious traffic with legitimate network communications, making it significantly harder for conventional security tools to detect.

Table Of Content

  • Key Takeaways
  • ZiChatBot Malware Uses Zulip REST APIs as Its Command Channel
  • PyPI Supply Chain Attack Used to Deliver the Payload
  • What You Should Do

The discovery emerged following an investigation into a series of malicious Python packages uploaded to PyPI, the widely used Python Package Index, beginning in July 2025. These packages were meticulously crafted to mimic legitimate development libraries, tricking Python developers into inadvertently installing them. Once executed, the packages silently deployed the ZiChatBot payload onto victims’ systems without triggering immediate alarms.

Analysts at Securelist identified and named the malware after processing samples through their advanced threat analysis pipeline. Their findings confirm ZiChatBot’s cross-platform capabilities, with versions targeting both Windows and Linux environments, indicating a broad potential impact across developer workstations and servers.

Notably, the Kaspersky Threat Attribution Engine revealed a 64% code similarity between the ZiChatBot dropper and a dropper previously linked to the notorious OceanLotus APT group. OceanLotus, also known as APT32, is a sophisticated threat actor historically active in the Asia-Pacific region. However, recent campaigns suggest an expansion of their operational scope, including activities in the Middle East and now a global supply chain attack via PyPI, signaling a strategic shift towards leveraging trusted public platforms to broaden their reach.

ZiChatBot Malware Uses Zulip REST APIs as Its Command Channel

Although the malicious PyPI packages have since been removed and the specific Zulip organization used by the attackers has been deactivated, researchers caution that already-compromised systems may still attempt to communicate with the defunct Zulip endpoint. This underscores the critical need for thorough remediation on any potentially infected machines.

ZiChatBot’s C2 mechanism is particularly ingenious, routing all command and control traffic through Zulip’s public REST API. This method avoids direct communication with a suspicious, attacker-controlled server, allowing malware traffic to appear as routine Zulip activity. Authentication for these communications is achieved via an API token embedded within each HTTP request header.

The malware operates by utilizing two distinct channel-topic pairs within the Zulip platform. One pair is dedicated to exfiltrating basic system information from the compromised machine to the attackers. The second pair is used by the attackers to transmit shellcode, which ZiChatBot then executes within a new thread. Upon successful command execution, the malware sends a heart emoji back into the chat, a subtle signal designed to further camouflage its malicious operations as benign chat interactions.

On Windows systems, ZiChatBot manifests as a DLL file named libcef.dll, loaded by the legitimate executable vcpktsvr.exe. It establishes persistence by creating an auto-run entry in the Windows Registry, ensuring it restarts with each user login. For Linux targets, the payload resides at /tmp/obsHub/obs-check-update and maintains persistence through a crontab entry.

PyPI Supply Chain Attack Used to Deliver the Payload

The initial infection vector involved three deceptive Python libraries uploaded to PyPI. These packages, named uuid32-utils, colorinal, and termncolor, were designed to closely resemble legitimate development tools and appeared harmless based on their descriptions. Each package contained a dropper that silently extracted and installed ZiChatBot during the standard library import process.

The termncolor package employed an especially stealthy tactic: it did not contain malicious code itself but listed the malicious colorinal package as a dependency. Consequently, any developer installing termncolor would unknowingly trigger the full infection chain. This multi-layered approach made the attack significantly more difficult for automated scanning tools that typically focus on surface-level code analysis.

The dropper utilized AES encryption in CBC mode to obscure sensitive strings and embedded payloads. After successfully deploying ZiChatBot, it executed shellcode to self-delete, aiming to erase traces of the initial infection. Researchers recommend adding helper.zulipchat.com to network denylists to identify any systems still attempting to contact the now-deactivated attacker infrastructure.

What You Should Do

  • Review PyPI Dependencies: Audit your project dependencies for the malicious packages (uuid32-utils, colorinal, termncolor) and remove them immediately if found.
  • Network Monitoring: Implement network monitoring to detect and block connections to helper.zulipchat.com. While deactivated, attempts to connect indicate a potentially compromised system.
  • Endpoint Detection & Response (EDR): Ensure EDR solutions are up-to-date and configured to detect unusual process execution, registry modifications (for Windows persistence), and crontab entries (for Linux persistence).
  • Indicators of Compromise (IoCs): Integrate the provided IoCs (file names, hashes, domain, API token) into your security tools (SIEM, EDR, firewalls) for proactive detection and blocking.
  • User Education: Educate developers on the risks of supply chain attacks and the importance of verifying the authenticity and reputation of third-party libraries before integration.

Indicators of Compromise (IoCs):-

Type Indicator Description
File Name termncolor-3.1.0-py3-none-any.whl Malicious PyPI wheel package (termncolor)
File Name uuid32_utils-1.x.x-py3-none-xxxx.whl Malicious PyPI wheel package (uuid32-utils)
File Name colorinal-0.1.7-py3-none-xxxx.whl Malicious PyPI wheel package (colorinal)
File Name terminate.dll ZiChatBot dropper (Windows)
File Name terminate.so ZiChatBot dropper (Linux)
File Name Backward.dll Alternate dropper name (Windows)
File Name Backward.so Alternate dropper name (Linux)
File Name libcef.dll ZiChatBot DLL payload (Windows)
File Name vcpktsvr.exe Legitimate loader executable used by ZiChatBot
Domain helper.zulipchat.com Zulip C2 organization used by attackers (now deactivated)
Hash (SHA256) 5152410aeef667ffaf42d40746af4d840a5a06fa Malicious file hash
Hash (SHA256) 2e74a57fd5ed8e85f04a483ae4a0ad38fd18a0e1 Malicious file hash
Hash (SHA256) 1199d1c52751908b5598baa59c716590d8841c63 Malicious file hash
Hash (SHA256) 12d8349e968782b4feb4236858e3253f77ecf4b0 Malicious file hash
Hash (SHA256) b55b6e364be44f27e3fecdce5ad69eca02f47015 Malicious file hash
Hash (SHA256) 59fc40067e69bb426776a54fe200f2f6a2120286 Malicious file hash
Hash (SHA256) f9056743bc94a49d22538214a3c917ff3b13a9e2 Malicious file hash
Hash (SHA256) 035ca521ba2f1868f2af9e191ebf47a5fab5cbabc Malicious file hash
Hash (SHA256) 33782c94c29dd268a42cbe03542bca5454b85dc3 Malicious file hash
Hash (SHA256) 2dc8023cd2be04e4501f16afce65c540d8186d95 Malicious file hash
Hash (SHA256) 06e2f84c38a57c4652f4da6c467838957de19eed Malicious file hash
Hash (SHA256) 40d39da1995682d600e329b7833003a0160925238b75af6cbdb60127decd59140 Malicious file hash
Hash (SHA256) d10640a26019b68ef060e593b8651262cbd0f6 Malicious file hash
Hash (MD5) 48be833b0b0ca1ad3cf99c66dc89c3f4 vcpktsvr.exe (legitimate loader)
Auth Token TW9yaWFuLWJvdEBoZWxwZXIuenVsaXBjaGF0LmNvbTpVOFJFWGxJNktmOHFYQjlyUXpPUEJpSUE0YnJKNThxRw== Zulip API auth token (Base64-encoded, C2 authentication)

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Hugging Face, Clawpack Vulnerabilities Let Attackers Deploy Malware

Next Post

Fake OpenClaw Installer Steals Crypto Wallet and Password Manager Credentials

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dutch Police Dismantle €100M Investment Fraud Network, 20 Call Centers Shut Down
July 16, 2026
JetBrains Patches 6 Vulnerabilities in TeamCity, YouTrack, IntelliJ IDEA
July 16, 2026
WhatsApp GhostPairing Flaw Lets Attackers Hijack Accounts
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us