In July 2025, threat hunters discovered a sophisticated supply chain attack targeting the Python Package Index (PyPI). The campaign, attributed to the advanced persistent threat group OceanLotus, involved a series of malicious wheel packages that secretly dropped a new malware strain called ZiChatBot. Unlike conventional malware, ZiChatBot leverages the Zulip team chat platform for command-and-control, making it exceptionally stealthy. Below, we break down the 10 most important things you need to know about this operation.
1. Attackers Weaponized PyPI With Fake Python Libraries
OceanLotus uploaded three malicious wheel packages to PyPI under the guise of legitimate tools. The packages—uuid32-utils, colorinal, and termncolor—were designed to imitate popular libraries. Their actual purpose was to deliver a hidden payload. This is a textbook supply chain attack: by publishing fake packages, the attackers tricked developers into downloading them through pip install commands. The first package appeared on July 16, 2025, with subsequent ones following within a week.
2. The Malware Targets Both Windows and Linux Systems
The dropper packages contained either .DLL files for Windows or .SO shared libraries for Linux. This cross-platform capability suggests the attackers aimed to compromise a wide range of development environments. The PyPI distribution pages listed separate wheel files for Windows X86, Windows X64, and Linux x86_64. For instance, the colorinal project offered three distinct download options matching each platform.
3. ZiChatBot: A Previously Unknown Malware Family
After the dropper executed, it deployed a novel malware strain named ZiChatBot. This malware does not rely on traditional command-and-control servers. Instead, it communicates via REST APIs of Zulip, a public team chat application. By piggybacking on a legitimate service, ZiChatBot can evade network detection tools that flag unusual traffic. The attackers likely chose Zulip because it offers encrypted channels and API keys that blend in with normal developer activity.
4. Decoy Packages Hid the Real Threat
To further obscure their operation, OceanLotus created a benign-looking package that listed the malicious one as a dependency. This technique allows the harmless package to function as a decoy while silently downloading the harmful one. Developers who installed the decoy would inadvertently pull in the malware—a classic example of dependency confusion. The attack chain was carefully planned to avoid raising suspicion until the final payload was active.
5. Initial Infection Vector: PyPI Supply Chain Attack
This campaign is a clear case of a supply chain attack via PyPI. By uploading counterfeit packages, the attackers gained access to users who trusted the official repository. The wheel files were digitally signed with plausible metadata—authors used email addresses from Tutamail and ProtonMail, adding a veneer of legitimacy. The packages also implemented the surface-level features described on their PyPI pages (e.g., UUID generation or color formatting), so victims rarely noticed anything odd.
6. Detailed Metadata of the Malicious Packages
Here is a summary of the key metadata for each fake library:
- uuid32-utils: First uploaded 2025-07-16, author laz****@tutamail.com. Pip command:
pip install uuid32-utils. Wheel file: uuid32_utils-1.x.x-py3-none-[OS platform].whl. - colorinal: Uploaded 2025-07-22, author sym****@proton.me. Wheel file: colorinal-0.1.7-py3-none-[OS platform].whl.
- termncolor: Uploaded 2025-07-22, same author. Wheel file: termncolor-3.1.0-py3-none-any.whl (cross-platform).
The metadata shows the attackers reused email aliases and staggered uploads to avoid detection.
7. How the Infection Chain Works (Using colorinal as Example)
The colorinal package serves as a representative example. When installed, its legitimate color-output code runs normally, but hidden within the wheel is a malicious dropper. This dropper extracted an encrypted payload—a .DLL or .SO file—from the package resources. It then executed the payload, which in turn contacted Zulip’s REST APIs to fetch further commands. The entire chain is designed to appear as normal library imports to casual observers.
8. Attribution to OceanLotus via KTAE Analysis
Kaspersky’s Threat Attribution Engine (KTAE) analyzed the samples and found strong links to OceanLotus, a state-sponsored APT group known for espionage. The code similarities, encryption routines, and infrastructure patterns matched previous OceanLotus campaigns described in threat intelligence reports. This attribution confirms that even developer ecosystems like PyPI are now prime targets for nation-state actors.
9. Why Using Zulip as C2 Is a Game Changer
ZiChatBot’s reliance on Zulip makes detection harder for several reasons. First, Zulip is a legitimate service used by thousands of development teams, so its traffic is rarely blocked. Second, the malware uses REST API calls with authenticated API keys, making it blend in with regular API usage. Third, the bot can receive commands by polling specific Zulip streams or topics, giving attackers a flexible and persistent control channel that can be updated without changing infrastructure.
10. Lessons for Developers and Security Teams
This attack highlights the need for extreme caution when using open-source package repositories. Developers should:
- Verify package authenticity—check author history, download counts, and code reviews.
- Use dependency scanning tools to flag suspicious wheel files.
- Monitor for unusual API calls to services like Zulip from running Python processes.
- Implement network segmentation so that building environments cannot reach arbitrary external APIs.
Security teams must also treat PyPI as a high-risk vector and prioritize behavioral detection over signature-based methods.
Conclusion
The OceanLotus PyPI campaign is a stark reminder that supply chain attacks are evolving. By combining fake packages, cross-platform payloads, and a novel C2 channel via Zulip, the attackers demonstrated advanced tradecraft. The discovery of ZiChatBot adds a new piece to the malware landscape, and the security community must adapt its defenses accordingly. Staying vigilant—and questioning every dependency—is more critical than ever.