Unmasking the OceanLotus PyPI Attack: ZiChatBot Malware Explained

In July 2025, cybersecurity researchers uncovered a sophisticated supply chain attack on the Python Package Index (PyPI). Threat actor OceanLotus was suspected of uploading malicious wheel packages that masqueraded as legitimate libraries. These packages covertly delivered a new malware strain named ZiChatBot, which uniquely leverages the Zulip team chat API for command and control. This Q&A explores the attack's mechanics, the malware's behavior, and the implications for software security.

What is the OceanLotus PyPI supply chain attack discovered in July 2025?

Starting in July 2025, security researchers noticed a series of suspicious wheel packages being uploaded to PyPI. These packages were designed to appear as useful Python libraries—such as uuid32-utils, colorinal, and termncolor—but their true purpose was to act as droppers for a previously unknown malware family named ZiChatBot. The malware targets both Windows and Linux platforms by delivering malicious .DLL or .SO files. After notifying the PyPI security team, the packages were removed. However, the incident highlights the ongoing risk of supply chain attacks on open-source repositories. The attacker used multiple accounts and varied metadata, such as the email addresses laz****@tutamail.com and sym****@proton.me, to distribute the payloads.

Which malicious packages were uploaded to PyPI and what were their disguises?

The attackers created three projects on PyPI, each mimicing a popular development library:

• uuid32-utils – claimed to generate 32-character random UUIDs
• colorinal – promised cross-platform color terminal text
• termncolor – offered ANSI color formatting for terminal output

These packages were uploaded on July 16 and July 22, 2025. The wheel files were built for specific platforms: Windows (x86 and x64) and Linux (x86_64). For example, colorinal-0.1.7-py3-none-win_amd64.whl and similar variants. The metadata used fake author names and email addresses from encrypted services like Tutanota and ProtonMail to avoid detection. While the packages did implement the advertised functions, their real payload lay hidden inside, waiting to be executed.

How did the attackers ensure the malware was delivered without immediate suspicion?

The OceanLotus group employed a clever two-package strategy. They first uploaded a harmless-looking package that acted as a decoy. This benign package listed the actual malicious package as a dependency. When a developer installed the decoy, pip automatically fetched the malicious one too, because it was listed in the install_requires field. This made the attack difficult to spot, as the decoy performed its advertised function perfectly. The malicious package then executed during installation or upon importing the library, dropping the ZiChatBot payload (.DLL or .SO) onto the system. The use of typosquatting—where package names are similar to popular ones—also tricked users into installing the wrong package. This multistage deception shows a carefully planned supply chain compromise.

What is ZiChatBot and how does it communicate with its command and control?

ZiChatBot is the final payload delivered by the PyPI droppers. Unlike traditional malware that contacts a dedicated C2 server, ZiChatBot leverages the public Zulip team chat application’s REST APIs as its communication channel. It creates a bot account on Zulip and uses real-time API calls to receive commands and exfiltrate data. This approach blends malicious traffic with legitimate chat activity, making detection harder for network monitors. The malware is modular, supporting both Windows and Linux environments. It can execute arbitrary commands, download additional modules, and steal sensitive information. Because Zulip is a widely used collaboration tool, its API traffic often goes unnoticed, giving the attacker a stealthy foothold.

How did the dropper mechanism work across Windows and Linux?

The malicious wheel packages (e.g., colorinal) served as droppers. They contained platform-specific shared libraries: .DLL on Windows and .SO on Linux. When the library was imported in a Python script (or during pip install), a setup script extracted and executed the appropriate payload. The dropper then ran the DLL or SO file in memory, which in turn deployed the ZiChatBot malware. On Windows, the DLL might use techniques like process hollowing or reflective loading to evade defenses. On Linux, the shared library injected code into a running process or launched a background service. The same infection chain was used for both uuid32-utils and colorinal, while termncolor followed a slightly different path but delivered the same bot.

What evidence links this campaign to the OceanLotus threat actor group?

Security researchers submitted the malicious samples to the Kaspersky Threat Attribution Engine (KTAE). The analysis returned strong correlations with malware previously attributed to OceanLotus (also known as APT32 or SeaLotus). The code obfuscation techniques, API usage patterns, and the unique choice of Zulip as C2 infrastructure matched earlier reports from threat intelligence feeds. Although the attackers used new email accounts and package names, the underlying TTPs—supply chain compromise, dual-platform payloads, and stealthy C2—are hallmarks of OceanLotus operations. The group, believed to have state sponsorship, has a history of targeting technology firms and government entities in Southeast Asia. This campaign extends their reach into the open-source ecosystem.

What steps can developers take to protect against such supply chain attacks?

Developers should adopt a multilayered defense. First, verify package integrity by checking checksums or using tools like pip hash against known hashes. Second, audit dependencies with tools such as pip-audit or Snyk—they flag known vulnerabilities and suspicious packages. Third, use isolated environments (containers or virtualenvs) to limit the impact of a compromised package. Fourth, monitor for unusual API calls from trusted applications; for instance, Zulip traffic from non-Zulip processes could be a red flag. Fifth, maintain an allowlist of approved packages in enterprise environments. Finally, report suspicious packages to repository maintainers immediately. By staying vigilant and employing automated security checks, teams can reduce the risk of falling victim to supply chain malware like ZiChatBot.