A Trojan in Disguise: New Python Package on PyPI Hides a Multi-Stage Malware Operation

Zscaler’s ThreatLabz team has issued a warning after uncovering a malicious Python package on the Python Package Index (PyPI) that was designed to deliver a sophisticated, multi-stage malware operation. The discovery once again highlights the growing risks of software supply chain attacks targeting developers and enterprises alike.

On July 22, 2025, Zscaler ThreatLabz detected a suspicious package named termncolor, which appeared to be a harmless utility for adding color support in Python terminals. However, investigators found that the package secretly imported a malicious dependency called colorinal.

As the report explains: “While termncolor functions as a color utility for Python without displaying any malicious behavior, the inclusion of its external dependency, colorinal, raises concerns.”

The investigation revealed that the malware was engineered with DLL sideloading, encryption, persistence, and covert C2 communication, making it a fully capable remote access and execution tool.

Key technical findings include:

• Malicious DLL Deployment: The dependency loaded a file called terminate.dll, which “employs AES in CBC mode to decrypt and execute the hidden payload.”
• Stealthy File Drops: The malware deployed both a legitimate signed executable (vcpktsvr.exe) and a malicious DLL (libcef.dll) to evade detection.
• Persistence Mechanism: A registry entry named pkt-update was created under Windows Run keys to ensure the malware launched at every startup.
• Linux Variant: ThreatLabz also identified a Linux version of the malware (terminate.so), confirming that attackers were targeting multiple operating systems.

Once deployed, the malware’s second stage focused on system reconnaissance and C2 communication. According to Zscaler, “libcef.dll collects system information and communicates with the command-and-control (C2) server using Zulip traffic patterns to disguise its activity.”

By mimicking the messaging patterns of the Zulip chat platform, the attackers were able to blend malicious communications with legitimate traffic, making detection far more challenging.

ThreatLabz traced the infrastructure and observed notable details about the threat actor’s behavior:

• The attacker registered on Zulip using the email symtee@proton.me and user ID 937950.
• Activity showed over 90,000 exchanged messages within the platform, with 100% occurring in private channels.
• The group relied heavily on Python APIs for transmitting data, suggesting an automated infrastructure behind their operations.

Although the C2 panel is currently offline, investigators believe the actor has been active since at least July 10, 2025.

ThreatLabz emphasized: “The termncolor package and its malicious dependency colorinal highlight the importance of monitoring open-source ecosystems for potential supply chain attacks.”

The package has since been removed from PyPI, but the findings serve as a reminder that adversaries are increasingly exploiting trust in public repositories to distribute stealthy, multi-platform malware.

Related Posts:

• Github launches Python security alerts
• AI Powers a Phishing Frenzy – Zscaler Report Warns of Unprecedented Threat Wave
• StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader
• Sophisticated Attacks Employ Cobalt Strike, DLL Sideloading, and Evolving Tactics
• Zscaler Report: 300% increase in phishing attacks delivered over SSL