7 Key Facts About the OceanLotus PyPI Attack and ZiChatBot Malware

Introduction

In July 2025, researchers uncovered a sophisticated supply chain attack targeting the Python Package Index (PyPI). A series of malicious wheel packages were uploaded, disguised as legitimate libraries, with the real goal of delivering a new malware family dubbed ZiChatBot. The attack bears the hallmarks of the advanced persistent threat (APT) group known as OceanLotus (also tracked as APT32 or SeaLotus). This article breaks down the seven most important things you need to know about this campaign.

7 Key Facts About the OceanLotus PyPI Attack and ZiChatBot Malware — Source: securelist.com

1. What Is ZiChatBot and How Does It Work?
2. The Attack Vector: PyPI Supply Chain Compromise
3. The Three Malicious Packages Used
4. Cross‑Platform Targeting: Windows and Linux
5. Clever Deception: Hiding in Plain Sight
6. The Infection Chain: From Package to Payload
7. Attribution to OceanLotus

1. What Is ZiChatBot and How Does It Work?

ZiChatBot is a previously undocumented malware family that uses a very unusual command‑and‑control (C2) mechanism. Instead of relying on a dedicated server, it exploits the public REST APIs of Zulip – a legitimate team‑chat application – to receive commands and exfiltrate data. This makes the malicious traffic blend in with normal Zulip API calls, greatly reducing the chance of detection. The malware can be delivered as either a .DLL file on Windows or a .SO (shared library) on Linux, giving it cross‑platform capabilities. Once loaded, ZiChatBot connects to a Zulip channel controlled by the attackers, where it awaits instructions. This novel approach to C2 communication shows a high level of sophistication and adaptability.

2. The Attack Vector: PyPI Supply Chain Compromise

The entire attack is a textbook example of a supply chain compromise. The threat actor created three malicious wheel packages on PyPI, imitating popular libraries to trick unsuspecting developers. By compromising a trusted repository like PyPI, the attackers gained access to many downstream users who would install these packages believing they were safe. This method is particularly dangerous because it bypasses traditional perimeter defenses – the malicious code arrives inside legitimate‑looking software. The campaign began in July 2025 and was quickly identified by threat hunters, who shared their findings with the security community, leading to the removal of the packages. However, many users may have already been infected before the takedown.

3. The Three Malicious Packages Used

The attackers uploaded three wheel packages to PyPI:

uuid32-utils – advertised as a tool for generating a 32‑character random UUID string.
colorinal – a library claiming to support cross‑platform colored terminal output.
termncolor – another package for ANSI color formatting in terminals.

These packages were uploaded under different accounts: laz**** (email: laz****@tutamail.com) for uuid32-utils, and sym**** (email: sym****@proton.me) for both colorinal and termncolor. The first upload date for uuid32-utils was 2025‑07‑16, with the other two appearing on 2025‑07‑22. The packages were distributed as platform‑specific wheels (e.g., uuid32_utils-1.x.x-py3-none-win_amd64.whl), indicating careful targeting.

4. Cross‑Platform Targeting: Windows and Linux

One of the most telling aspects of this campaign is its dual‑platform support. The wheel packages were built specifically for Windows (both x86 and x64) and Linux (x86_64). For instance, the colorinal project page on PyPI listed separate download options for each operating system. Once installed, the malicious code delivers either a .DLL file on Windows or a .SO shared library on Linux. This cross‑platform capability strongly suggests that the attackers are a well‑resourced group – likely an APT – that intends to compromise both environments in their target organizations. Many modern enterprise networks mix Windows workstations with Linux servers, so this approach maximizes the impact of the supply chain attack.

5. Clever Deception: Hiding in Plain Sight

To further obscure their activities, the attackers employed a classic shell‑game technique. Besides the malicious packages, they created a separate, completely benign‑looking package that listed the malicious package as a dependency. This meant that a developer who installed the benign package would automatically pull in the malicious one without any visible indication. The malicious packages themselves also implemented the features described on their PyPI pages – for example, uuid32-utils could actually generate UUID strings – so they appeared functional and non‑suspicious. This deception makes it much harder for casual reviewers or automated scanners to flag the packages as dangerous. Only a deep analysis of the wheel contents revealed the hidden dropper component.

6. The Infection Chain: From Package to Payload

While both uuid32-utils and colorinal use essentially the same infection mechanism, this explanation uses colorinal as an example. When a user installs the wheel (either directly or as a dependency), the package’s setup script executes and extracts an embedded payload – a .DLL (Windows) or .SO (Linux) file. This file is then loaded into memory and executed. The payload is the ZiChatBot malware, which immediately establishes communication with a Zulip‑based C2 channel. Importantly, the entire process happens without the user’s knowledge; the legitimate functionality of the package runs normally in the background. After infection, the attacker can issue commands, exfiltrate files, or drop additional malicious tools – all through the chat API.

7. Attribution to OceanLotus

The final key fact is that this attack has been attributed to the OceanLotus APT group (also known as APT32). The attribution is based on analysis from Kaspersky’s Threat Attribution Engine (KTAE), which found strong links between the PyPI packages and previous OceanLotus malware samples described in threat intelligence reports. OceanLotus is a Vietnamese‑linked threat actor that has been active since at least 2014, known for targeting foreign corporations, media organizations, and dissidents. Their use of PyPI – a platform popular among enterprise developers – fits their known modus operandi of targeting supply chains and software development environments. This incident underscores the growing trend of APT groups exploiting open‑source ecosystems to gain initial access.

Conclusion

The discovery of the ZiChatBot campaign on PyPI is a stark reminder that open‑source repositories can be weaponized by advanced adversaries. OceanLotus’s use of a chat application as a C2 channel and its careful selection of mimicking popular libraries show a high level of sophistication. Developers and security teams must remain vigilant: verify package integrity, monitor for unusual dependencies, and report suspicious packages promptly. The rapid removal of these malicious packages by the PyPI team demonstrates the importance of community collaboration. Nevertheless, this attack is a clear warning that supply chain threats are becoming more stealthy and targeted.

Tags: