New ZiChatBot Malware Uses Zulip REST APIs as Command and Control Server

A newly discovered malware called ZiChatBot has been found quietly using the REST APIs of a legitimate team chat application called Zulip to receive and carry out commands from its operators.

This approach is unusual because the malware never communicates with a private server that security tools could flag or block, making it harder to detect through standard network monitoring.

The threat was uncovered after a series of malicious Python packages were found on PyPI, the widely used Python Package Index, starting in July 2025. The attacker uploaded packages designed to look like common development libraries, tricking Python developers into installing them.

Once installed, these packages silently dropped the ZiChatBot payload onto the victim’s system without raising obvious alerts.

Analysts at Securelist identified and named the malware after analyzing samples through their threat analysis pipeline. Their research confirmed ZiChatBot targets both Windows and Linux systems, making it a cross-platform threat capable of reaching a wide range of developers and machines.

The Kaspersky Threat Attribution Engine flagged a 64% code similarity between the ZiChatBot dropper and a dropper previously linked to the OceanLotus APT group.

OceanLotus, also known as APT32, is a well-established threat group that has historically focused on targets in the Asia-Pacific region. However, recent activity shows the group pushing beyond its traditional boundaries, including campaigns in the Middle East and now a global supply chain attack through PyPI. This shift reflects a clear effort by the group to broaden its reach by targeting trusted public platforms that developers rely on daily.

ZiChatBot Malware Uses Zulip REST APIs as Its Command Channel

The malicious packages have since been removed from PyPI, and the Zulip organization used by the attackers has been officially deactivated. Still, researchers warn that already-infected systems may still attempt to contact the deactivated Zulip endpoint, meaning cleanup on compromised machines remains critical.

ZiChatBot takes an inventive but dangerous approach to command and control by routing all activity through Zulip’s public REST API. Rather than contacting a suspicious external server, the malware sends HTTP requests to a legitimate service, letting its traffic blend in with normal developer communication. Authentication is handled through an API token embedded within each HTTP request header.

The malware operates through two separate channel-topic pairs within the Zulip platform. One pair sends basic system information about the infected machine back to the attacker. The other retrieves messages containing shellcode, which ZiChatBot executes in a new thread. Once a command runs, the malware replies with a heart emoji in the chat to signal completion, showing how carefully attackers disguised operations as routine activity.

The Windows version of ZiChatBot is a DLL file named libcef.dll, loaded through a legitimate executable called vcpktsvr.exe. It establishes persistence by writing a registry auto-run entry, ensuring it restarts when the user logs in. On Linux, the payload sits at /tmp/obsHub/obs-check-update and uses a crontab entry to keep access alive on the infected system.

PyPI Supply Chain Attack Used to Deliver the Payload

The attack started with three fake Python libraries uploaded to PyPI, each named to closely resemble tools that developers use in everyday projects. The packages, uuid32-utils, colorinal, and termncolor, appeared harmless based on their listed descriptions. In reality, each carried a dropper that silently extracted and installed ZiChatBot during the normal library import process.

The termncolor package was especially deceptive since it contained no obviously malicious code on its own. Instead, it listed the malicious colorinal package as a dependency, so anyone who installed termncolor would unknowingly trigger the full infection chain. This layered method made the attack far less visible to automated tools that only scan surface-level code.

The dropper used AES encryption in CBC mode to hide sensitive strings and embedded payloads. After deploying ZiChatBot, it used shellcode to self-delete, wiping traces of the initial infection. Researchers advise adding helper.zulipchat.com to network denylists to identify any machines still reaching out to the now-deactivated attacker infrastructure.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.