OceanLotus Targets PyPI: The ZiChatBot Supply Chain Attack Uncovered

In July 2025, security researchers identified a series of malicious wheel packages uploaded to PyPI, the Python Package Index. These packages, attributed to the advanced persistent threat group OceanLotus, served as droppers for a previously unknown malware family dubbed ZiChatBot. Unlike traditional malware, ZiChatBot uses the Zulip team chat platform's REST APIs as its command-and-control infrastructure. This campaign represents a carefully orchestrated supply chain attack, leveraging fake libraries and dependencies to infect both Windows and Linux systems. Below, we explore the key aspects of this attack in a Q&A format.

What triggered the discovery of the OceanLotus PyPI attack?

During routine threat hunting in July 2025, security analysts noticed suspicious wheel packages on PyPI. After sharing their findings with the public security community, the packages were removed from the repository. The samples were then submitted to Kaspersky Threat Attribution Engine (KTAE) for analysis. Based on the results, the packages were linked to malware described in a Threat Intelligence report on OceanLotus, a well-known APT group. This chain of events—starting with anomaly detection, followed by community action, forensic attribution—led to the full exposure of the attack.

OceanLotus Targets PyPI: The ZiChatBot Supply Chain Attack Uncovered — Source: securelist.com

How did the attackers spread the malicious PyPI packages?

The attackers created three PyPI projects mimicking popular libraries to trick users into downloading them. These projects were named uuid32-utils, colorinal, and termncolor. Each offered wheel packages advertised as tools for UUID generation, cross-platform color terminal text, and ANSI color formatting, respectively. The packages were uploaded starting July 16, 2025, with authors using email addresses from tutamail.com and proton.me. Distribution files included versions for Windows (X86, X64) and Linux (x86_64), ensuring broad platform coverage. This impersonation of legitimate libraries is a classic supply chain attack vector.

What are the key details of the fake PyPI libraries?

The three malicious packages are:

uuid32-utils (pip install uuid32-utils): First uploaded 2025-07-16, author laz****@tutamail.com. Claims to generate 32-character UUIDs.
colorinal (pip install colorinal): First uploaded 2025-07-22, author sym****@proton.me. Claims cross-platform color terminal text.
termncolor (pip install termncolor): First uploaded 2025-07-22, author sym****@proton.me. Claims ANSI color formatting.

All packages provide wheel files (.whl) with platform-specific builds. For example, colorinal offers separate downloads for Windows X86, Windows X64, and Linux x86_64. Despite appearing functional on PyPI pages, their true purpose is to drop .DLL or .SO payloads.

How does the ZiChatBot malware operate differently from traditional malware?

ZiChatBot does not rely on a dedicated command-and-control (C2) server. Instead, it abuses the public REST APIs of Zulip, an open-source team chat application. By using Zulip's infrastructure, the malware blends in with normal traffic, making detection harder. The dropper (the wheel package) extracts either a .DLL (Windows) or .SO (Linux) file that carries ZiChatBot. Once executed, ZiChatBot communicates via Zulip channels to receive commands and exfiltrate data. This technique leverages a trusted service as a covert communication channel, a tactic known as living off the land.

How did the attackers conceal the malicious package delivering ZiChatBot?

The attackers created an additional benign-looking PyPI package that included the malicious package as a dependency. This means users who installed the benign package would inadvertently also install the dropper. This layered approach hides the malicious package from casual inspection. For instance, a seemingly harmless library might declare colorinal as a dependency. When a developer runs pip install for the benign library, colorinal is automatically installed, and the infection chain begins. This technique demonstrates careful planning to maximize the attack's reach and persistence.

What platforms are targeted and what is the infection chain?

The malicious wheel packages target both Windows (via .DLL files) and Linux (via .SO shared libraries). The infection chain is consistent across the uuid32-utils and colorinal libraries. Using colorinal as an example, once installed, the package executes code that extracts a hidden payload (the .DLL or .SO). This payload then launches ZiChatBot, which establishes C2 through Zulip APIs. The termncolor package may follow a similar pattern. The attack affects x86 and x64 architectures on Windows, and x86_64 on Linux, giving it a wide victim pool among developers and automated systems.