Unmasking the OceanLotus PyPI Supply Chain Attack: ZiChatBot Malware Explained

In July 2025, cybersecurity researchers uncovered a sophisticated supply chain attack targeting the Python Package Index (PyPI). Malicious wheel packages mimicking popular libraries were uploaded, ultimately delivering a new malware family named ZiChatBot. Unlike typical malware, ZiChatBot leverages the public team chat application Zulip for command-and-control (C2) communications, using REST APIs instead of a dedicated server. This campaign, attributed to the OceanLotus threat group, highlights the growing risks in open-source ecosystems. Below are key questions and detailed answers about this attack.

What is ZiChatBot and how does it differ from traditional malware?

ZiChatBot is a previously unknown malware family that operates as a dropper and a backdoor. Its most distinctive feature is its communication method: instead of connecting to a dedicated command-and-control server, ZiChatBot uses the public Zulip chat application's REST APIs as its C2 infrastructure. This approach allows it to blend in with legitimate traffic, making detection more difficult. Traditional malware often relies on fixed IP addresses or domains that can be blocked, but ZiChatBot's reliance on a widely used service gives it greater resilience. The malware is delivered via malicious PyPI packages that install either a .DLL (Windows) or .SO (Linux shared library) file, enabling cross‑platform targeting. Once executed, ZiChatBot can receive commands and transmit data through Zulip channels, effectively hiding its malicious activity within normal chat traffic.

Unmasking the OceanLotus PyPI Supply Chain Attack: ZiChatBot Malware Explained — Source: securelist.com

How did the attackers spread the malware via PyPI?

The attackers created three fake PyPI projects that mimicked popular libraries to trick developers into installing them. The packages were named uuid32-utils, colorinal, and termncolor. Each was uploaded as a wheel file designed to look legitimate—for example, uuid32-utils claimed to generate 32‑character random UUIDs, while colorinal and termncolor offered cross‑platform terminal color utilities. These packages were first uploaded in mid‑July 2025 by accounts using anonymous email services like Tutamail and ProtonMail. By imitating common libraries, the attackers increased the chance of accidental installation by developers who might type a similar name or rely on automated dependency resolution. Once installed, the malicious code silently dropped the ZiChatBot payload, making this a classic supply chain attack.

What platforms does ZiChatBot target?

ZiChatBot is designed to compromise both Windows and Linux systems. The malicious wheel packages include platform‑specific files: .DLL files for Windows and .SO (shared object) files for Linux. For example, the colorinal project offered download options for X86 and X64 Windows versions, as well as an x86_64 Linux variant. This dual‑platform capability indicates that the attackers aimed to reach a broad audience, including developers and system administrators who work in heterogeneous environments. The malware's ability to adapt to different operating systems underscores the advanced planning behind the campaign and highlights the need for cross‑platform security monitoring.

What tactics did the attackers use to conceal the malicious package?

To hide the malicious package containing ZiChatBot, the attackers employed a clever obfuscation technique. They created another benign‑looking library that listed the actual malicious package as a dependency. When a developer installed the seemingly harmless package, the dependency resolver automatically fetched and installed the malicious one. This approach made the attack harder to spot because the dependency chain looked legitimate—users might audit the top‑level package but not its nested requirements. Additionally, the fake packages implement the features advertised on their PyPI pages (e.g., generating UUIDs or coloring terminal text), so basic functional tests would not raise suspicion. Only by examining the full code or monitoring network activity would the covert delivery of .DLL/.SO files become apparent.

What were the fake PyPI packages and their details?

Three malicious projects were created on PyPI. Here are the key metadata for each:

uuid32-utils: pip install uuid32-utils; file uuid32_utils-1.x.x-py3-none-[OS].whl; first uploaded 2025-07-16; author laz**** / laz****@tutamail.com
colorinal: pip install colorinal; file colorinal-0.1.7-py3-none-[OS].whl; first uploaded 2025-07-22; author sym**** / sym****@proton.me
termncolor: pip install termncolor; file termncolor-3.1.0-py3-none-any.whl; first uploaded 2025-07-22; author sym**** / sym****@proton.me

The wheel files were offered for multiple platforms (Windows X86, X64; Linux x86_64). The attackers used anonymous email providers to register their accounts, making attribution more challenging.

How was the attack discovered and what analysis was performed?

The campaign was uncovered during routine threat hunting conducted by security researchers. They noticed a series of suspicious wheel packages uploaded to PyPI starting in July 2025. After sharing this information with the public security community, the malicious packages were removed from the repository. The samples were then submitted to the Kaspersky Threat Attribution Engine (KTAE) for deeper analysis. Based on the results, the researchers linked the packages to malware discussed in a Threat Intelligence report on OceanLotus. The analysis confirmed that the packages acted as droppers for ZiChatBot, a previously undocumented malware family. The discovery highlights the importance of continuous monitoring of package repositories and the value of collaborative threat intelligence sharing.

What is the infection chain for the colorinal library?

As a representative example, the colorinal library follows a clear infection chain. First, a developer installs the colorinal package from PyPI using pip install colorinal. The package executes its advertised functionality—outputting colored terminal text—but also runs hidden code that downloads and executes a malicious payload. This payload is a .DLL file (on Windows) or a .SO file (on Linux) that contains the ZiChatBot malware. Once the DLL/SO is loaded, ZiChatBot establishes communication with the Zulip chat service via REST APIs, allowing the attacker to issue commands and exfiltrate data. The entire chain is designed to be stealthy, with the legitimate feature serving as a smokescreen. This pattern is similar in the uuid32-utils package, reinforcing the coordinated nature of the attack.

What does this campaign signify for the open‑source ecosystem?

This campaign is a stark reminder that open‑source package repositories like PyPI are prime targets for supply chain attacks. By hijacking trust in widely used platforms, threat actors can distribute malware to thousands of developers and organizations. The OceanLotus group demonstrated careful planning: they created credible‑looking libraries, used anonymous accounts, and implemented functional features to avoid immediate suspicion. The use of a legitimate chat service (Zulip) as C2 infrastructure further blurs the line between malicious and benign traffic. This incident underscores the need for stronger security measures in package registries, such as automated malware scanning, developer verification, and dependency auditing. Developers should always verify the integrity of third‑party packages and consider using tools that detect anomalous behaviors in installed libraries.

Tags: