10 Critical Facts About the OceanLotus PyPI Attack Delivering ZiChatBot Malware

In July 2025, security researchers uncovered a sophisticated supply chain attack targeting the Python Package Index (PyPI). Malicious wheel packages were uploaded, masquerading as legitimate libraries, but secretly delivering a new malware family named ZiChatBot. This campaign, attributed to the OceanLotus threat actor (also known as APT32 or SeaLotus), demonstrates advanced evasion techniques and cross-platform capabilities. Below are ten essential facts about this operation, from the fake packages to the abuse of a public chat app for command and control.

1. The Attack Was Launched via PyPI

Beginning in July 2025, attackers uploaded a series of malicious wheel packages to PyPI, the official repository for Python packages. These packages were designed to mimic popular libraries, tricking developers into installing them. The malicious code acted as a dropper, ultimately delivering the ZiChatBot malware. This method is a classic supply chain attack, targeting the software development lifecycle to compromise downstream users.

10 Critical Facts About the OceanLotus PyPI Attack Delivering ZiChatBot Malware — Source: securelist.com

2. Three Fake Libraries Were Created

The threat actor set up three distinct PyPI projects, each with a name resembling legitimate tools: uuid32-utils (for generating UUIDs), colorinal (for cross-platform terminal colors), and termncolor (ANSI color formatting). These names were chosen to blend in with commonly used Python utilities, increasing the chance of accidental installation.

3. Packages Were Uploaded Under Fake Identities

The packages were registered by email addresses from privacy-focused providers. The uuid32-utils package was uploaded on July 16, 2025, by ‘laz****@tutamail.com’. The other two, colorinal and termncolor, appeared on July 22, 2025, from ‘sym****@proton.me’. This use of anonymous email accounts is typical of OceanLotus operations when establishing infrastructure.

4. The Malware Targets Both Windows and Linux

Analysis of the wheel packages reveals that they contain payloads for both Windows and Linux platforms. The dropper delivers either a .DLL file (Windows) or a .SO shared library (Linux). This dual-platform capability expands the attack surface, potentially infecting servers as well as developer workstations.

5. The Final Payload Is Named ZiChatBot

Security researchers dubbed the delivered malware ZiChatBot. This previously unknown family exhibits unusual command-and-control (C2) behavior. Instead of connecting to a dedicated server, it leverages public API endpoints of the popular team chat application Zulip to receive commands and exfiltrate data.

6. Zulip REST APIs Serve as C2 Infrastructure

ZiChatBot communicates with the attackers by making requests to Zulip’s REST APIs. This technique is known as living off the land or abusing legitimate services. By using a well-known chat platform as a covert channel, the malware blends in with normal network traffic, making detection more difficult for traditional security tools.

7. A Decoy Package Hid the Malicious One

To further conceal the attack, the threat actor created a benign-looking package that included the malicious one as a dependency. This decoy package appeared harmless and functional, but installing it would trigger the download of the actual malware. This layered approach shows careful planning to evade scrutiny.

8. The Infection Chain Follows a Pattern

The uuid32-utils and colorinal packages share a similar infection mechanism. After installation, the wheel file drops a malicious payload that executes silently. The payload is often obfuscated or disguised as part of the library’s legitimate functionality. An in-depth analysis of colorinal serves as a representative example of the entire chain.

9. OceanLotus Attribution via Threat Intelligence

Researchers used the Kaspersky Threat Attribution Engine (KTAE) to analyze the samples. Results linked the packages to previous OceanLotus activity reported in threat intelligence. OceanLotus is a known advanced persistent threat (APT) group with ties to Vietnam, often targeting organizations in Southeast Asia and around the world.

10. The Attack Was a Carefully Orchestrated Supply Chain Compromise

This campaign exemplifies a modern supply chain attack: fake libraries, decoys, anonymous accounts, and stealthy C2 channels. The use of PyPI as a distribution vector allows the malware to reach a wide audience of developers. It underscores the need for vigilance when installing third-party packages and for implementing software supply chain security measures.

In conclusion, the OceanLotus PyPI attack demonstrates the evolving sophistication of threat actors. By understanding the techniques used—imitation, decoys, platform-agnostic payloads, and abuse of legitimate services—organizations can better defend against similar threats. Regularly reviewing dependencies, monitoring for unusual network outbound traffic, and educating developers about supply chain risks are crucial steps in staying protected.

Tags: