Breaking: OceanLotus Suspected in Sophisticated PyPI Supply Chain Attack Delivering Novel ZiChatBot Malware

Breaking News: PyPI Supply Chain Attack Targets Windows and Linux with ZiChatBot Malware

Researchers have uncovered a carefully orchestrated supply chain attack on PyPI (Python Package Index) that began in July 2025, with suspected links to the notorious OceanLotus threat group (APT32). The malicious wheel packages, disguised as legitimate libraries, deliver a previously unknown malware family dubbed ZiChatBot that weaponizes the popular team chat app Zulip for command and control.

Breaking: OceanLotus Suspected in Sophisticated PyPI Supply Chain Attack Delivering Novel ZiChatBot Malware — Source: securelist.com

"This is not a run-of-the-mill typosquatting campaign; it’s a precise, multi-platform attack that exploits trust in open-source repositories," said a Kaspersky threat researcher who analyzed the samples via the Kaspersky Threat Attribution Engine (KTAE). The findings were shared with the security community, leading to prompt removal of the packages from PyPI.

Unlike traditional malware that relies on dedicated C2 servers, ZiChatBot uses REST APIs from Zulip, a legitimate chat platform, to receive commands. This technique makes detection far more challenging for network defenders.

Background: OceanLotus’s Evolving Tactics

OceanLotus, also known as APT32 or SeaLotus, is a Vietnamese state-sponsored group infamous for cyber-espionage campaigns targeting governments, media, and private sector entities across Southeast Asia and beyond. The group has a history of leveraging supply chain attacks, but this PyPI campaign marks a novel shift toward abusing open-source package repositories.

"Attributing this to OceanLotus is based on behavioral similarities and infrastructure matches," the researcher explained. "The use of Zulip as a C2 channel aligns with their pattern of blending into everyday internet traffic."

What This Means for Cybersecurity

The attack underscores a growing trend: threat actors exploiting public package managers to infiltrate development pipelines. With enterprise software increasingly relying on open-source dependencies, a single compromised package can propagate malware across thousands of systems.

"Developers must treat every third-party library as a potential threat vector," warned a senior security analyst at a leading firm. "The ZiChatBot dropper can load both Windows DLLs and Linux shared objects, meaning no environment is safe."

Furthermore, ZiChatBot’s ability to hijack a legitimate service like Zulip for C2 complicates traditional traffic analysis. Security teams must now monitor for anomalous API calls to chat platforms, not just suspicious IPs.

Technical Details: The Attack Chain

Spreading via Fake Libraries

Attackers uploaded three malicious wheel packages to PyPI, each closely mimicking popular libraries to trick developers into installing them:

uuid32-utils (first upload July 16, 2025, by laz****@tutamail.com)
colorinal (July 22, 2025, by sym****@proton.me)
termncolor (July 22, 2025, by sym****@proton.me)

All packages were available for Windows (x86, x64) and Linux (x86_64), as shown on their PyPI download pages. For instance, colorinal promised cross-platform terminal text coloring but secretly acted as a dropper.

Infection Mechanism

When a developer installs one of these packages (e.g., via pip install colorinal), the wheel file executes code that functions as a dropper. It delivers a hidden payload—either a .DLL on Windows or a .SO on Linux—which installs ZiChatBot on the system.

To further conceal the attack, the threat actors created a benign-looking package that includes the malicious one as a dependency. This ensures that even developers who only install the “clean” package inadvertently pull in the malware.

ZiChatBot: A Stealthy C2 Framework

ZiChatBot is not just another piece of malware; it’s a framework that uses Zulip’s public REST APIs to receive tasks and exfiltrate data. No dedicated C2 server is needed—everything is routed through Zulip channels, making traffic blend in with normal chat activity.

"This approach is both ingenious and dangerous," noted the Kaspersky researcher. "We’re entering an era where attackers weaponize trusted platforms against us."

Security teams should review their open-source dependency lists for any of the three fake packages (see table above) and monitor for unusual Zulip API calls from endpoints. The full technical analysis is available from Kaspersky’s Threat Intelligence team.

Timeline and Response

July 2025: Malicious packages uploaded to PyPI.
Detection: Discovered during daily threat hunting by Kaspersky researchers.
Disclosure: Shared with public security community and PyPI administrators.
Removal: Packages removed from PyPI; samples submitted to KTAE for attribution.

PyPI maintainers have deleted the offending packages, but users who installed them between July 16 and July 23, 2025, should immediately scan their systems for ZiChatBot indicators. The threat remains active; variants could emerge on other package indexes.

Tags: