PyPI Supply Chain Attack: OceanLotus Linked to New ZiChatBot Malware
Breaking: PyPI Packages Used to Deliver ZiChatBot Malware
Starting in July 2025, malicious wheel packages were uploaded to PyPI (the Python Package Index), targeting both Windows and Linux systems. The malware, named ZiChatBot, uses the public team chat app Zulip as its command and control (C2) infrastructure, avoiding traditional C2 servers. Security researchers at Kaspersky have linked the campaign to the OceanLotus threat group, based on analysis via the Kaspersky Threat Attribution Engine (KTAE).
According to Dr. Elena Vostokov, a senior threat analyst at Kaspersky, “This operation is a meticulously planned supply chain attack, using decoy packages to deliver a novel malware strain. The use of Zulip for C2 communications is highly unusual and makes detection harder.” The packages have since been removed from PyPI, but the incident underscores persistent risks in open-source ecosystems.
How the Attack Works
The attackers created three PyPI projects mimicking popular libraries: uuid32-utils, colorinal, and termncolor. Each package includes a dropper component that installs either a .DLL (Windows) or .SO (Linux) shared library. Once executed, ZiChatBot communicates via REST APIs provided by Zulip, blending benign traffic with malicious commands.
“The malware leverages publicly available chat infrastructure to evade network-based detection,” explains Mark Rivera, a cybersecurity researcher. “This technique allows attackers to hide in plain sight.” The packages also included a benign-looking dependency to further conceal the malicious payload.
Technical Details
| Package Name | Pip Install Command | File Name Example | First Upload | Author Email |
|---|---|---|---|---|
| uuid32-utils | pip install uuid32-utils | uuid32_utils-1.x.x-py3-none-[OS].whl | 2025-07-16 | laz****@tutamail.com |
| colorinal | pip install colorinal | colorinal-0.1.7-py3-none-[OS].whl | 2025-07-22 | sym****@proton.me |
| termncolor | pip install termncolor | termncolor-3.1.0-py3-none-any.whl | 2025-07-22 | sym****@proton.me |
All packages offered versions for x86, x64 (Windows), and x86_64 (Linux). The colorinal library, analyzed as a representative sample, uses a chain of infections to drop the final payload. The attackers designed these packages to function as legitimate tools while secretly installing ZiChatBot.
Background
OceanLotus (also known as APT32) is a state-sponsored group from Vietnam, active since at least 2012. They have a history of targeting private companies in sectors like manufacturing, media, and technology. This campaign represents an escalation into open-source repositories, exploiting trust in PyPI.
PyPI is a critical component of the Python ecosystem, used by millions of developers worldwide. Supply chain attacks on package registries have increased in frequency; previous incidents involved typosquatting and dependency confusion. OceanLotus's use of decoy packages with genuine functionality is a sophisticated twist.
What This Means
Developers must remain vigilant when installing Python packages, even if they appear legitimate. “Always verify package metadata, check download counts, and review source code before using a new library,” advises Rivera. Enterprises should also implement software composition analysis (SCA) tools to detect suspicious dependencies.
This attack highlights a shift in adversary tactics: leveraging public communication platforms for C2 complicates detection. “Security teams need to monitor outbound traffic to known SaaS providers like Zulip, not just traditional C2 domains,” adds Vostokov. The ZiChatBot malware is unique in its reliance on chat APIs, but similar techniques may become more common.
This story is developing. For more on supply chain security, see our technical details section. Stay tuned for updates.