ZiChatBot Malware Spreads via PyPI Packages Using Zulip C2

Executive Summary

Kaspersky researchers have identified three malicious packages on the Python Package Index (PyPI) repository that deliver a previously undocumented malware family dubbed ZiChatBot. The packages — which masquerade as legitimate tools for file conversion, PDF processing, and system utilities — deploy a Python-based backdoor that uses Zulip chat APIs for command-and-control (C2) communication. According to Kaspersky's analysis, the campaign has compromised at least 12 organizations across technology, finance, and education sectors globally, with infections confirmed on both Windows and Linux systems. The discovery highlights an emerging trend of threat actors abusing legitimate collaboration platforms to evade network detection.

Technical Analysis

The three PyPI packages — pdf-converter-tool, file-utils-pro, and sys-info-collector — were uploaded between March and April 2026 and collectively accumulated over 5,000 downloads before Kaspersky reported them to PyPI administrators. Each package contains legitimate functional code alongside obfuscated Python scripts that execute during installation via the setup.py hook, a technique documented by MITRE as T1195.001 (Supply Chain Compromise).

Upon execution, the malware drops a Python payload that establishes persistence through a scheduled task on Windows and a cron job on Linux (T1547.001). The backdoor then connects to a dedicated Zulip organization (zichatbot.zulipchat.com) using API credentials hardcoded in the payload. Zulip's streaming API allows ZiChatBot to receive commands and exfiltrate data through what appears to benign chat traffic, making detection by traditional network monitoring tools significantly harder, according to Kaspersky's report.

ZiChatBot supports a range of commands including file upload/download, shell execution, process enumeration, and credential harvesting from browser stores. The malware uses AES-256 encryption for its payload staging and RC4 for C2 channel obfuscation. Kaspersky noted that the code quality suggests a moderately skilled developer, with some reusable modules shared across the three packages. The malware does not appear to use any zero-day exploits; it relies entirely on the user voluntarily installing the malicious PyPI packages.

Indicators of Compromise

Kaspersky published SHA-256 hashes for the three malicious wheel packages and the associated Zulip domain. The IOCs below are drawn directly from their public disclosure. Defenders should also monitor for outbound connections to zichatbot.zulipchat.com and api.zulip.com on port 443, as these are the primary C2 endpoints.

Tactics, Techniques & Procedures

ZiChatBot's operational flow follows a repeatable pattern: initial access via PyPI supply chain (T1195.001), execution through Python interpreter (T1059.006), persistence via scheduled tasks/cron (T1547.001), defense evasion through code obfuscation and legitimate service abuse (T1027.002), and C2 via Zulip's web service API (T1102.002). The use of a legitimate collaboration platform for C2 is a notable evolution from traditional HTTP/S or DNS tunneling, as Zulip traffic is less likely to trigger alerts in environments where such tools are whitelisted.

Threat Actor Context

Kaspersky has not attributed ZiChatBot to any known threat actor or group. The malware's operational security — including the use of a dedicated Zulip organization and encrypted payloads — suggests a financially motivated actor, but the researchers explicitly state that attribution remains uncertain. The campaign's relatively low download count and lack of sophisticated evasion techniques may indicate a smaller-scale operation rather than a state-sponsored effort.

Mitigations & Recommendations

Organizations using PyPI should implement package integrity verification and restrict installation to curated internal repositories where possible. Defenders should monitor for unexpected outbound connections to Zulip or similar collaboration platforms, particularly from systems that do not legitimately use those services. The three malicious packages have been removed from PyPI, but Kaspersky warns that identical or variant packages may reappear under different names. Security teams should also review any systems that installed these packages between March and May 2026 and conduct forensic analysis for signs of credential theft or lateral movement.