7 Critical Facts About the OceanLotus PyPI Attack Delivering ZiChatBot Malware

In July 2025, security researchers uncovered a sophisticated supply chain attack targeting the Python Package Index (PyPI). Threat actors linked to the notorious OceanLotus group uploaded malicious wheel packages that mimicked legitimate libraries, ultimately delivering a previously unknown malware strain named ZiChatBot. This campaign exploited trust in open-source repositories to infiltrate both Windows and Linux systems, using a novel communication method via the public chat app Zulip. Here are seven key facts you need to know about this discovery.

1. The Attack Began with Suspicious PyPI Uploads

Starting in July 2025, our threat-hunting systems flagged a series of malicious wheel packages uploaded to PyPI. These packages were designed to appear as innocent utilities but actually served as droppers for hidden malware. After coordinating with the security community, the packages were removed from the repository. Subsequent analysis using the Kaspersky Threat Attribution Engine (KTAE) linked the code to OceanLotus, a known advanced persistent threat (APT) group. The timing and execution suggest a carefully planned operation to infiltrate software supply chains.

7 Critical Facts About the OceanLotus PyPI Attack Delivering ZiChatBot Malware — Source: securelist.com

2. The Attack Is a Classic Supply Chain Compromise via PyPI

This incident exemplifies a supply chain attack: the threat actors created three fake PyPI projects that imitated popular libraries. Unsuspecting developers who installed these packages—thinking they were legitimate tools—unwittingly executed malicious payloads. By targeting PyPI, a widely trusted repository for Python software, the attackers could reach a broad audience, including enterprises and individual developers. This technique undermines the inherent trust in open-source ecosystems and highlights the need for rigorous package verification.

3. Three Fake Libraries Were Used as Lures

The attackers published three deceptive packages on PyPI. The first, uuid32-utils, claimed to generate a 32-character random string as a UUID. The second, colorinal, pretended to implement cross-platform color terminal text. The third, termncolor, offered ANSI color formatting for terminal output. Each package had a corresponding wheel file uploaded with plausible version numbers and author email addresses from encrypted services like Tutamail and ProtonMail. For instance, 'pip install colorinal' fetched a malicious wheel that appeared legitimate.

4. The Malware Targets Both Windows and Linux Systems

The wheel packages included platform-specific binaries: .DLL files for Windows and .SO (shared library) files for Linux. Distribution options on PyPI showed versions for Windows X86, X64, and Linux x86_64. This cross-platform capability indicates the attackers aimed to infect a wide range of environments, from individual workstations to servers. The payloads functioned as droppers, meaning they didn't execute malicious actions immediately but instead delivered the final malware into the system discreetly.

5. The Final Payload Is a New Malware Called ZiChatBot

The droppers unleashed a previously unseen malware family named ZiChatBot. Unlike conventional malware that relies on dedicated command-and-control (C2) servers, ZiChatBot uses a series of REST APIs from the public team chat application Zulip as its C2 infrastructure. This clever approach makes detection harder because traffic appears normal—blending in with legitimate chat communications. The malware can receive commands, exfiltrate data, or update itself using Zulip's API, effectively hijacking a trusted service for malicious purposes.

6. The Attackers Concealed the Malicious Payload with a Benign Dependency

To evade scrutiny, the threat actors employed a deception tactic: they created a benign-looking package that listed the malicious package as a dependency. When a developer installed the innocent package via pip, it automatically pulled in the malicious one. This technique, known as dependency confusion, exploits the way package managers resolve dependencies. As a result, the attack could spread silently without raising immediate suspicion, making it a well-orchestrated and stealthy operation.

7. Attribution Points to the OceanLotus APT Group

Evidence from the Kaspersky Threat Attribution Engine strongly suggests that this campaign is linked to OceanLotus (also known as APT32 or SeaLotus), a state-sponsored group with a history of cyber espionage. The attack's sophistication—including the use of Zulip for C2, cross-platform payloads, and dependency confusion—aligns with OceanLotus's known tactics. While the full scope of the compromise remains under investigation, the incident underscores the evolving threats in open-source software supply chains.

Understanding this attack is crucial for developers and security teams. PyPI users should verify package integrity, monitor dependencies, and rely on advanced threat detection tools. The OceanLotus campaign demonstrates that even trusted repositories can become vectors for malware, and vigilance is the first line of defense. By staying informed about such threats, the community can better protect against future supply chain attacks.

Tags: