8 Critical Facts About the OceanLotus PyPI Attack and ZiChatBot Malware
In July 2025, cybersecurity researchers detected a series of suspicious wheel packages uploaded to the Python Package Index (PyPI). After reporting these packages to the security community, the files were swiftly removed. Analysis using the Kaspersky Threat Attribution Engine (KTAE) linked the packages to the infamous OceanLotus advanced persistent threat (APT) group. These packages were not what they appeared to be; while they claimed to offer legitimate Python utilities, their real purpose was to deliver a previously undocumented malware strain dubbed ZiChatBot. This attack showcases a sophisticated supply chain compromise targeting Python developers. Below are eight essential details you need to understand about this campaign.
1. The Attack Originated in July 2025 on PyPI
Beginning in July 2025, malicious actors uploaded three wheel packages to PyPI: uuid32-utils, colorinal, and termncolor. The first package appeared on July 16, 2025, uploaded by an account using the email laz****@tutamail.com. The other two followed on July 22, 2025, uploaded by a different account with email sym****@proton.me. These packages were designed to mimic popular Python libraries, tricking developers into installing them via standard pip commands. The timing and method suggest a deliberate, well-planned attack aimed at infiltrating software supply chains.
2. The Packages Imitate Legitimate Libraries
The attackers chose names closely resembling well-known Python tools: uuid32-utils pretended to be a utility for generating 32-character random strings, colorinal pretended to support cross-platform color terminal text, and termncolor claimed to provide ANSI color formatting for terminal output. Each package included a functional implementation of its advertised feature to appear legitimate. However, beneath the surface, they contained hidden malicious code that acted as a dropper. For instance, colorinal was offered in multiple platform-specific wheel files, including versions for Windows (x86 and x64) and Linux (x86_64), broadening its potential victim pool.
3. The Malware Targets Both Windows and Linux Systems
Unlike many Python-based threats that only affect Windows, these packages contained payloads compatible with both Windows and Linux environments. The dropper delivered either a .DLL file (Windows) or a .SO shared library (Linux). This dual-platform capability indicates the attackers intended to compromise a wide range of development machines, from personal laptops to CI/CD servers. The malicious libraries were executed when the Python package was imported, allowing the infection to proceed without raising immediate alarms.
4. The Final Payload Is a New Malware Called ZiChatBot
After the dropper runs, it unpacks and executes the final payload, which security researchers have named ZiChatBot. This malware is distinct from typical families because it does not use a dedicated command-and-control (C2) server. Instead, ZiChatBot leverages the public REST APIs of the open-source team chat application Zulip as its C2 infrastructure. By abusing a legitimate service, the malware blends in with normal traffic, making detection by network monitoring tools much more difficult. The bot can receive commands and exfiltrate data via Zulip channels, all while hiding in plain sight.
5. The Attackers Used a Clever Concealment Technique
To further obfuscate the malicious package, the attackers created a benign-looking wrapper package that declared the actual malicious package as a dependency. When a developer installed the benign package via pip, it automatically pulled in and installed the malicious one. This technique is a classic supply chain attack: it exploits the trust developers place in the PyPI ecosystem. The result is that victims unknowingly download the threat even if they carefully review the packages they install directly.
6. The Infection Chain Is Consistent Across Packages
Analysis of the uuid32-utils and colorinal packages revealed nearly identical infection chains and payloads. Taking colorinal as a representative example, the package executes a series of steps upon import: it first validates the platform, then extracts an encrypted payload embedded in the wheel file, decrypts it, and loads it into memory. The decrypted payload is the malicious DLL or SO file that acts as the initial dropper. This dropper then communicates with Zulip to download the final ZiChatBot component. The consistency of these chains suggests a single, sophisticated developer or team behind the campaign.
7. Attribution Points to the OceanLotus APT Group
Researchers submitted samples from the attack to the Kaspersky Threat Attribution Engine (KTAE), a tool that analyzes code similarities, infrastructure patterns, and tradecraft. The engine returned a high-confidence match linking the packages to malware previously associated with OceanLotus (also known as APT32 or SeaLotus). OceanLotus is a Vietnamese state-sponsored threat group that has historically targeted foreign governments, corporations, and human rights activists. This attribution underscores the group's continued evolution and willingness to adopt new attack vectors like PyPI supply chain compromise.
8. This Is a Carefully Planned Supply Chain Attack
Given the multi-platform payloads, the use of legitimate Zulip APIs for C2, the mimicry of popular libraries, and the dependency concealment technique, this campaign exhibits a high degree of planning and execution. It is not a random or opportunistic attack but a targeted supply chain infiltration designed to compromise development environments. Python developers and organizations relying on PyPI should treat this as a wake-up call to enforce strict package verification, use private mirrors, and monitor for unusual network traffic to chat services. Vigilance is key to preventing similar attacks in the future.
In summary, the OceanLotus-linked PyPI attack represents a significant threat to the software development community. By understanding these eight crucial facts, security teams can better defend against supply chain attacks that leverage trusted platforms to distribute malware like ZiChatBot.