OceanLotus Launches PyPI Supply Chain Attack with Novel ZiChatBot Malware
In July 2025, security researchers uncovered a sophisticated supply chain attack targeting the Python Package Index (PyPI). The threat group OceanLotus (also known as APT32) uploaded malicious wheel packages disguised as popular libraries. These packages acted as droppers for a previously unseen malware named ZiChatBot. Unlike typical malware, ZiChatBot leverages the public team chat app Zulip for command and control (C2), using its REST APIs instead of a dedicated server. This campaign demonstrates careful planning to compromise both Windows and Linux systems. Below, we answer key questions about the attack.
What is the OceanLotus PyPI Supply Chain Attack?
The attack is a supply chain compromise where OceanLotus uploaded three malicious PyPI packages: uuid32-utils, colorinal, and termncolor. These packages were designed to mimic legitimate libraries but secretly delivered a dropper that installed the ZiChatBot malware. The malware uses Zulip's REST APIs for C2 communication, avoiding traditional server infrastructure. The campaign started in July 2025 and was detected through routine threat hunting. Kaspersky's Threat Attribution Engine linked the packages to OceanLotus, confirming the group's involvement in a carefully orchestrated attack on the software supply chain.
How Did the Attackers Spread the Malicious Packages on PyPI?
The attackers created three PyPI projects and uploaded wheel packages that imitated common libraries. For instance, uuid32-utils pretended to generate UUIDs, while colorinal claimed to handle cross-platform terminal colors. Each package was first uploaded between July 16 and July 22, 2025. The packages were published under fake accounts (e.g., laz**** and sym****) using email services like Tutanota and ProtonMail. To increase stealth, the attacker also published a benign-looking package that included the malicious one as a dependency, making it harder to detect. This spread method is typical of supply chain attacks.
What Are the Specific PyPI Packages Used?
The three malicious packages are:
- uuid32-utils (v1.x.x) – claimed to generate 32-character UUIDs
- colorinal (v0.1.7) – advertised as a cross-platform color terminal text library
- termncolor (v3.1.0) – offered ANSI color formatting
Each package was available for Windows (x86 and x64) and Linux (x86_64). The metadata shows first upload dates in July 2025, with authors using anonymized email addresses. The distribution page for colorinal, for example, listed separate wheels for each platform, indicating multi-OS targeting.
How Does the Initial Infection Chain Work?
Using colorinal as an example, the infection chain begins when a user installs the malicious wheel package via pip install colorinal. The package's setup script executes a hidden dropper routine. This dropper determines the operating system and loads either a Windows DLL or a Linux shared library (SO file). These files then decode and execute the final payload: ZiChatBot. Importantly, the package appears to implement its advertised features (color handling), so users might not notice the malicious activity until after infection. The same chain applies to uuid32-utils, while termncolor may use a slightly different mechanism but with the same ultimate goal.
What Is ZiChatBot and How Does It Communicate?
ZiChatBot is a previously unknown malware family discovered in this campaign. Its most distinctive characteristic is its use of the public team chat application Zulip for command and control (C2). Instead of connecting to a dedicated server, ZiChatBot interacts with Zulip's REST APIs to receive commands and exfiltrate data. This technique makes the malware harder to detect because network traffic appears to be normal chat activity. The malware is delivered as a DLL on Windows or an SO file on Linux, giving it cross-platform capabilities. Once active, it can execute various commands issued by the attacker through the Zulip bot interface.
What Platforms Are Targeted by This Attack?
The malicious wheel packages offer versions for both Windows and Linux. For Windows, the packages include x86 and x64 builds; for Linux, they provide an x86_64 build. This dual-platform capability shows that OceanLotus aimed to compromise a wide range of systems. The droppers deliver platform-specific payloads: a DLL on Windows and a shared library (SO) on Linux. As a result, developers or users installing these packages on either OS risk infection. The presence of termncolor as a pure Python wheel (no platform-specific binary) may allow it to run on any system, but its dependency chain still triggers the malicious dropper.
How Was the Attack Attributed to OceanLotus?
After discovering the malicious packages, researchers submitted samples to the Kaspersky Threat Attribution Engine (KTAE). The engine analyzed the code and behavioral similarities to previously documented OceanLotus malware. It found connections to a Threat Intelligence report that described OceanLotus techniques. Additionally, the use of anonymized email services (Tutanota and ProtonMail) and the careful mimicry of popular libraries align with OceanLotus's known operational security practices. While attribution is never 100% certain, the evidence strongly suggests OceanLotus (APT32) as the perpetrator behind this PyPI supply chain attack.
Why Is This Considered a Supply Chain Attack?
This attack qualifies as a supply chain attack because the malicious code is introduced into the software development process through a trusted distribution channel—PyPI. Developers and users who install these packages inadvertently trust their source, as PyPI is a widely used repository. The attacker weaponized this trust by publishing packages that appear legitimate but contain hidden droppers. Furthermore, the use of a benign-looking package that depends on the malicious one adds another layer of stealth, making detection difficult. Such attacks can compromise downstream users, including companies that depend on these libraries, potentially leading to data theft or further infiltration.