OceanLotus Exploits PyPI to Deploy Novel ZiChatBot Malware via Camouflaged Packages
Introduction
In the course of routine threat hunting during July 2025, our security team identified a series of suspicious wheel packages uploaded to the Python Package Index (PyPI). After promptly alerting the public security community, these malicious artifacts were removed from the repository. Subsequent analysis using the Kaspersky Threat Attribution Engine (KTAE) suggests a probable connection between these packages and threat activity previously attributed to the advanced persistent threat group known as OceanLotus (also tracked as APT32).
Although the packages superficially implement the functionality advertised on their PyPI pages, their true purpose is to covertly deliver additional malicious files. These files can manifest as .DLL (Windows) or .SO (Linux shared library), indicating the campaign’s cross-platform ambition. The packages act as droppers for a previously undocumented malware family we have named ZiChatBot. Unlike conventional malware, ZiChatBot does not rely on a dedicated command-and-control (C2) server. Instead, it leverages REST APIs from the public team chat application Zulip to serve as its C2 infrastructure.
To further obscure the operation, the attacker created a benign-looking package that lists the malicious package as a dependency. These facts confirm that this campaign constitutes a carefully orchestrated supply chain attack on PyPI.
Attack Vectors and Distribution
The adversary established three projects on PyPI, each hosting malicious wheel packages designed to impersonate popular libraries. This classic supply chain attack technique lures developers into downloading trojanized dependencies. Below we detail the fake libraries and their associated wheel packages.
Malicious Wheel Packages
The attacker published the following packages on PyPI’s download pages:
- uuid32-utils – advertised as a library for generating 32-character random strings (UUIDs)
- colorinal – presented as a cross-platform color terminal text implementation
- termncolor – marketed as an ANSI color format for terminal output
Key metadata for these packages is summarized below:
| pip install command | Wheel file name | First upload date | Author / Email |
|---|---|---|---|
pip install uuid32-utils | uuid32_utils-1.x.x-py3-none-[OS platform].whl | 2025-07-16 | laz**** / laz****@tutamail.com |
pip install colorinal | colorinal-0.1.7-py3-none-[OS platform].whl | 2025-07-22 | sym**** / sym****@proton.me |
pip install termncolor | termncolor-3.1.0-py3-none-any.whl | 2025-07-22 | sym**** / sym****@proton.me |
From the distribution information on PyPI, we see that the packages offer x86 and x64 variants for Windows, as well as an x86_64 variant for Linux. For example, the colorinal project provides the following download options (see example below).
Initial Infection Chain
The uuid32-utils and colorinal libraries share similar infection chains and malicious payloads. This analysis focuses on colorinal as a representative case.
Upon installation, the wheel package first executes its advertised functionality to avoid suspicion. However, at a predetermined point, it decodes and drops a secondary payload. This payload can be a .DLL or .SO file, depending on the target operating system. The dropper then loads this library, which ultimately delivers the ZiChatBot malware.
ZiChatBot, once active, does not attempt to communicate with a traditional C2 server. Instead, it uses Zulip’s REST APIs to receive commands and exfiltrate data. This technique makes detection more difficult because the traffic blends in with legitimate chat activity.
Technical Details of ZiChatBot
ZiChatBot is a previously unknown malware family characterized by its use of a public chat service for C2. Key technical aspects include:
- Platform targeting: Compiled as native libraries for both Windows (.DLL) and Linux (.SO), indicating the attackers aim to compromise development environments across operating systems.
- Stealth mechanisms: The malware does not register any persistent beaconing; instead, it periodically polls Zulip streams for new commands encoded in messages.
- Modular design: Initial analysis suggests ZiChatBot can download and execute additional modules, making it a versatile post-exploitation tool.
To further conceal the malicious package, the attacker also uploaded a benign-looking library that listed the malicious package as a dependency. This “decoy” package would install the trojanized library without raising immediate suspicion. This layered deception underscores the sophistication of the campaign.
C2 via Zulip APIs
Zulip is an open-source team chat application that provides extensive REST APIs. ZiChatBot abuses these APIs to:
- Authenticate using a hardcoded bot account or stolen API key.
- Monitor specific streams for incoming commands.
- Send responses or exfiltrated data as messages.
This approach makes the C2 traffic appear as normal communication, evading network-based detection.
Conclusion
The OceanLotus-aligned campaign demonstrates a growing trend in supply chain attacks: using legitimate platforms like PyPI to distribute advanced malware. By mimicking common libraries and leveraging a public chat service for C2, the attackers increase the difficulty of detection and attribution. Organizations should verify the integrity of their Python dependencies, monitor for unusual network traffic to chat APIs, and maintain up-to-date threat intelligence to defend against such threats.
We continue to share indicators of compromise with the security community and recommend developers use tools like pip-audit and safety to scan their dependencies for known malicious packages.