Zscaler ThreatLabz discovered a malicious PyPI package chain where termncolor imported a Trojanized dependency, colorinal, which loaded terminate.dll/terminate.so to decrypt and drop a signed executable (vcpktsvr.exe) and a malicious DLL (libcef.dll) that performs system discovery and C2 via Zulip-like traffic. The operation uses AES-CBC decryption, DLL sideloading for execution and persistence via a Run registry entry, and associated artifacts have been removed from PyPI. #termncolor #colorinal
Keypoints
- termncolor on PyPI imported a malicious dependency colorinal that contained unicode.py which loads an embedded DLL (terminate.dll / terminate.so).
- terminate.dll decrypts an embedded payload using AES-CBC with a UTF-8 key and drops vcpktsvr.exe (signed) and libcef.dll into %LOCALAPPDATA%vcpacket.
- libcef.dll performs system information discovery and communicates with a C2 server using traffic patterns mimicking the Zulip messaging platform.
- Persistence is achieved by creating a Run key named pkt-update under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun pointing to vcpktsvr.exe.
- The malware includes a Linux variant (terminate.so) performing equivalent functionality on Unix-like systems.
- Threat actors used a custom API hashing algorithm to resolve APIs and execute shellcode retrieved from the C2 channel.
- Artifacts and malicious packages identified by ThreatLabz have been removed from PyPI; Zscaler detects related indicators across its platform.
MITRE Techniques
- [T1059 ] Dynamic Code Execution – Executes code dynamically within memory to evade security mechanisms. Quote: ‘Executes code dynamically within memory to evade security mechanisms’
- [T1073 ] DLL Sideloading – Loads malicious DLLs to execute arbitrary code in place of legitimate functions (vcpktsvr.exe used for sideloading libcef.dll). Quote: ‘Loads malicious DLLs to execute arbitrary code in the place of legitimate functions.’
- [T1071 ] Application Layer Protocol – Uses distorted API calls via Zulip-style communication to remote C2 server to disguise C2 traffic. Quote: ‘Distorted API Calls via Zulip-style Communication to Remote C2 Server’
- [T1082 ] System Information Discovery – Gathers computer name, username, OS version and other system details for profiling. Quote: ‘Gathers detailed system information such as computer name, user name, OS version, and hardware IDs.’
- [T1085 ] Rundll32 – Leverages legitimate execution mechanisms (e.g., rundll32) to execute malicious code. Quote: ‘Uses the legitimate Rundll32 program to execute malicious code.’
Indicators of Compromise
- [File Hash ] Malicious DLL/executables – libcef.dll (MD5: 381022e5fd0cede7146f9922e1ed30a3), vcpktsvr.exe (MD5: 9267d9a72207df3217014f206ba18560)
- [File Hash ] Dropper/loader – terminate.dll (MD5: 1995682d600e329b7833003a01609252) and Linux terminate.so (MD5: 7857238199018edc0ad7cd4d851c5a9b)
- [Package ] Malicious PyPI wheels – colorinal (.whl) (MD5: c5f0425dabd01d7ba80dfc3d5ca19841), termncolor (.whl) (MD5: 5152410aeef667ffaf42d40746af4d84)
- [File Hash ] Malicious ELF backdoor – MD5: 38b75af6cbdb60127decd59140d10640 and additional ELF hash db69c6bfbf6575e0d887351265165e6e