Supply Chain Risk in Python: Termcolor and Colorama Explained

Description

A suspicious Python package named termncolor was discovered, which imports a malicious dependency called colorinal. This multi-stage malware operation leverages DLL sideloading to decrypt payloads, establish persistence, and conduct command-and-control communication, ultimately leading to remote code execution. The attack begins with the execution of terminate.dll, which decrypts and deploys two files: vcpktsvr.exe and libcef.dll. The malware achieves persistence through a registry entry and gathers system information. It communicates with a C2 server using Zulip traffic patterns for disguise. The threat actor's profile and activities on the Zulip platform were analyzed, revealing patterns in their tactics and behavior.