A sophisticated supply chain attack targeting Python developers has emerged through a seemingly innocuous package named termncolor, which conceals a multi-stage malware operation designed to establish persistent access on compromised systems.
The malicious package, distributed through the Python Package Index (PyPI), masquerades as a legitimate terminal color utility while secretly deploying advanced backdoor capabilities that leverage DLL sideloading techniques and Windows registry manipulation for persistence.
The attack begins when unsuspecting developers install the termncolor package, which automatically imports its malicious dependency, colorinal.
This secondary package serves as the true entry point for the attack chain, employing a carefully orchestrated series of operations that culminate in remote code execution and system compromise.
.webp "Weaponized Python Package Termncolor Attacking Leverages Windows Run Key to Maintain Persistence 3")
The malware’s design demonstrates sophisticated evasion techniques, including the use of legitimate-looking components and encrypted payloads to avoid detection by traditional security tools.
Zscaler researchers identified the malicious package on July 22, 2025, during routine monitoring of their Python package scanning database.
The discovery revealed a complex attack infrastructure that extends beyond simple backdoor functionality, incorporating advanced command-and-control communication patterns that mimic legitimate messaging platforms to disguise malicious traffic.
The researchers noted that both termncolor and colorinal have since been removed from PyPI, though the threat demonstrates the ongoing risks associated with open-source software supply chain attacks.
The malware’s impact extends across both Windows and Linux environments, with specialized variants tailored for each operating system.
The attack’s sophistication lies in its multi-layered approach, combining social engineering tactics with technical precision to achieve its objectives.
Initial infections may appear benign, as the color utility functions normally while the malicious components operate silently in the background, making detection particularly challenging for organizations relying on automated scanning tools alone.
Persistence Mechanism and Registry Manipulation
The most critical aspect of this malware’s operation centers on its sophisticated persistence mechanism, which ensures continued system access even after restarts.
Once the initial colorinal package executes, it triggers the unicode.py file, which loads an embedded DLL called terminate.dll into memory.
This DLL serves as the primary dropper component, utilizing AES encryption in CBC mode to decrypt and deploy two key files onto the target system.
The persistence strategy employs a classic Windows registry modification technique, creating an entry named “pkt-update” under the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun registry key.
This entry points to vcpktsvr.exe, a legitimately signed executable that the malware drops into the %LOCALAPPDATA%vcpacket directory. The use of a signed executable provides an additional layer of legitimacy that helps evade security scrutiny.
The malware’s true payload resides in libcef.dll, which accompanies vcpktsvr.exe and executes through DLL sideloading.
This technique exploits the Windows DLL search order, allowing the malicious library to masquerade as a legitimate component while maintaining persistent backdoor access.
The libcef.dll component handles system reconnaissance and command-and-control communications, using the Zulip messaging platform to disguise its network traffic as legitimate team communications.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
