Cybersecurity experts discovered a complex supply chain attack that originated from the Python Package Index (PyPI) in a recent disclosure from Zscaler ThreatLabz.
The package in question, termed “termncolor,” masquerades as a benign color utility for Python terminals but covertly imports a malicious dependency named “colorinal.”
This dependency serves as the initial infection vector, triggering a multi-stage malware deployment that leverages DLL sideloading, AES-encrypted payloads, and disguised command-and-control (C2) communications.
The attack chain begins with the execution of “unicode.py” within “colorinal,” which loads an embedded DLL file called “terminate.dll.”
This DLL decrypts and deploys subsequent payloads, ensuring the malware’s stealthy integration into the target system.
Malicious Supply Chain Attack Vector
Notably, both packages have been expunged from PyPI following the discovery, underscoring the ongoing risks in open-source ecosystems where threat actors exploit dependency trees to distribute weaponized code.
The technical dissection reveals that “termncolor” appears innocuous at first inspection, functioning solely as a terminal coloring tool without overt malicious indicators.
termncolor packageHowever, its reliance on “colorinal” introduces the payload via the “is_color_supported” method in “unicode.py,” which utilizes the ctypes.CDLL library to load “terminate.dll” into memory.
The DLL is sourced from the script’s directory using os.path.dirname(file), and it interfaces with an exported function “envir” by passing a UTF-8 encoded string “xterminalunicode.”
This interaction queries terminal capabilities while simultaneously initiating the decryption process.
Employing AES in CBC mode with the same “xterminalunicode” key, “terminate.dll” unveils two critical files: a legitimate signed executable “vcpktsvr.exe” and a malicious “libcef.dll.”
These are staged in the %LOCALAPPDATA%vcpacket directory, where “vcpktsvr.exe” facilitates DLL sideloading to execute “libcef.dll” covertly. To evade detection, the malware self-deletes “unicode.py” and “terminate.dll” post-execution, minimizing forensic footprints.
Multi-Stage Execution
Advancing to the second stage, “libcef.dll” orchestrates system reconnaissance by harvesting details such as computer name, username, and OS version, which are formatted and transmitted to a C2 server via HTTPS.
The communication mimics legitimate Zulip messaging patterns, blending into benign traffic to avoid network-based detection.
Persistence is ingeniously achieved through a registry modification under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun, creating an entry named “pkt-update” that auto-executes “vcpktsvr.exe” on startup.
This Windows Run key exploitation ensures long-term residency, allowing the malware to resolve APIs using a custom hashing algorithm a lightweight function based on ASCII values, multiplication, and bitwise operations for obfuscating DLL and API names, thereby complicating static analysis.
The threat extends to cross-platform capabilities, with a Linux variant employing “terminate.so” as a shared object file to replicate the Windows functionality.
Threat actor profiling via Zulip analytics indicates operations commencing around July 10, 2025, involving an email “[email protected]” and user ID 937950, with heavy Python API usage for message transmission.
Activity peaked in late July, encompassing 90,692 messages across private channels, though the C2 infrastructure is now offline.
According to the report, Zscaler’s defenses, including the Cloud Sandbox, detect related indicators under threat names like Python.Backdoor.PyPI and Win64.Backdoor.Xterminal, providing multilayered protection against such intrusions.
This incident exemplifies the evolving sophistication of supply chain threats, where attackers weaponize dependencies for decryption, sideloading, and RCE, emphasizing the need for rigorous package vetting and runtime monitoring in development pipelines.
Indicators of Compromise (IOCs)
| MD5 | Name |
|---|---|
| 381022e5fd0cede7146f9922e1ed30a3 | libcef.dll |
| 9267d9a72207df3217014f206ba18560 | vcpktsvr.exe |
| 1995682d600e329b7833003a01609252 | terminate.dll |
| c5f0425dabd01d7ba80dfc3d5ca19841 | colorinal package (.whl – PyPI) |
| 7857238199018edc0ad7cd4d851c5a9b | termncolor (.whl package – PyPI) |
| 5152410aeef667ffaf42d40746af4d84 | Linux Python package |
| 38b75af6cbdb60127decd59140d10640 | terminal.so |
| db69c6bfbf6575e0d887351265165e6e | Malicious ELF backdoor |
| C2: helper.zulpichat.com |
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
