PyPI Supply Chain Attack: OceanLotus Distributes ZiChatBot via Malicious Wheel Packages
Introduction
In July 2025, cybersecurity researchers detected a series of suspicious wheel packages uploaded to the Python Package Index (PyPI). These packages, masquerading as legitimate libraries, were part of a carefully orchestrated supply chain attack. After sharing findings with the security community, the malicious files were removed. Subsequent analysis by Kaspersky's Threat Attribution Engine (KTAE) linked the packages to the advanced persistent threat group known as OceanLotus (also tracked as APT32 or Cobalt Kitty). The true purpose of these packages was to stealthily deliver a previously undocumented malware family we have named ZiChatBot.
Attack Overview
Unlike typical malware that relies on dedicated command-and-control (C2) servers, ZiChatBot leverages the public REST APIs of the team chat application Zulip as its C2 infrastructure. This approach makes network communications appear benign and harder to detect. The malicious wheel packages act as droppers, delivering either DLL (Windows) or SO (Linux shared library) files, demonstrating cross-platform targeting. The attackers further concealed their activities by creating a benign-looking package that included the malicious package as a dependency, increasing the likelihood of accidental installation.
The Malicious PyPI Packages
The attackers created three PyPI projects, each offering wheel packages designed to mimic popular libraries:
- uuid32-utils: Posed as a utility for generating 32-character random strings as UUIDs.
- colorinal: Masqueraded as a cross-platform library for colored terminal text output.
- termncolor: Disguised as a package for ANSI color formatting in terminal output.
These packages were uploaded starting July 16, 2025, with the following metadata:
| Package | Pip Install Command | Wheel File Name | First Upload Date | Author / Email |
|---|---|---|---|---|
| uuid32-utils | pip install uuid32-utils | uuid32_utils-1.x.x-py3-none-[OS platform].whl | 2025-07-16 | laz**** / laz****@tutamail.com |
| colorinal | pip install colorinal | colorinal-0.1.7-py3-none-[OS platform].whl | 2025-07-22 | sym**** / sym****@proton.me |
| termncolor | pip install termncolor | termncolor-3.1.0-py3-none-any.whl | 2025-07-22 | sym**** / sym****@proton.me |
The packages were distributed in multiple platform-specific variants: x86 and x64 for Windows, and x86_64 for Linux. For instance, the colorinal project offered separate wheel files for each architecture.
Infection Chain Analysis
Both the uuid32-utils and colorinal packages utilized similar infection mechanisms. For clarity, we detail the process using colorinal as a representative example.
Initial Dropper Stage
Upon installation via pip, the wheel package executes its setup script. While the package appears to implement the advertised functionality (e.g., colored terminal output), it also silently drops a malicious payload onto the system. This payload is a DLL (on Windows) or SO (on Linux) file, which is subsequently loaded and executed.
ZiChatBot Malware
The dropped payload is the core component: the ZiChatBot malware. Instead of establishing direct communication with a traditional C2 server, ZiChatBot uses Zulip's REST APIs to send and receive commands. This technique allows the malware to blend in with legitimate Zulip traffic, evading network-based detection. The bot can execute arbitrary commands, exfiltrate data, and potentially move laterally within the compromised environment.
Dependency Concealment
To avoid suspicion, the attacker also published a seemingly harmless package that listed one of the malicious packages as a dependency. This tactic increased the chances that unsuspecting users would inadvertently install the malware when installing the benign-looking package.
Indicators of Compromise
Organizations should monitor for the following indicators:
- Installation of any of the three packages: uuid32-utils, colorinal, termncolor.
- Network traffic to Zulip API endpoints that is not associated with legitimate use of the Zulip service.
- Unexpected DLL or SO files dropped in temporary or installation directories.
Mitigation and Recommendations
To defend against such supply chain attacks, we recommend:
- Regularly audit Python packages in your projects using tools like
pip-auditor safety checks. - Verify package authors and check download statistics; suspicious packages often have few downloads or recent uploads.
- Use a private PyPI mirror or repository manager to control which packages are available.
- Monitor network traffic for unusual connections to chat service APIs, especially from non-browser processes.
Conclusion
The OceanLotus group continues to evolve its techniques, now leveraging the trust placed in open-source package repositories to deploy malware. The use of Zulip as a C2 channel represents a clever evasion method. This incident underscores the importance of proactive threat hunting and robust supply chain security practices. Security teams should remain vigilant and treat any package with suspicious behavior as a potential threat.