OceanLotus APT Suspected in Novel PyPI Supply Chain Attack Delivering ZiChatBot Malware

Breaking: OceanLotus APT Suspected in PyPI Supply Chain Attack

A sophisticated supply chain attack targeting the Python Package Index (PyPI) has been linked to the advanced persistent threat group OceanLotus (APT32), according to researchers at Kaspersky. Since July 2025, malicious wheel packages disguised as popular libraries have been uploaded to PyPI, delivering a previously unknown malware strain dubbed ZiChatBot.

The malware uses the public team chat application Zulip as its command-and-control infrastructure, a novel evasion technique that avoids traditional C2 servers. ZiChatBot is capable of targeting both Windows and Linux systems, with its final payload delivered as a DLL or shared object (SO) file.

Attack Details: Fake Libraries and First Upload Dates

Three fake libraries were created by the attackers: uuid32-utils (first uploaded July 16, 2025), colorinal (July 22, 2025), and termncolor (July 22, 2025). The packages mimic legitimate tools for UUID generation and terminal color formatting, but their true purpose is to drop the ZiChatBot payload.

According to Kaspersky's Threat Attribution Engine, the metadata behind these packages—including the author email addresses (laz****@tutamail.com and sym****@proton.me)—closely aligns with previous OceanLotus infrastructure. “The campaign is meticulously planned, with one benign-looking package including the malicious one as a dependency to evade detection,” said Alexei Petrov, lead threat researcher at Kaspersky's GReAT team.

Technical Analysis: Dropper Behavior and Zulip C2

Upon installation, the malicious wheel packages act as droppers. For Windows systems, a DLL is executed; for Linux, a .SO file is loaded. The dropper then contacts Zulip's REST APIs to receive commands, a technique never before seen in OceanLotus operations. “By piggybacking on legitimate chat infrastructure, ZiChatBot can blend in with normal traffic, making detection extremely difficult,” Petrov explained.

The malware does not maintain persistent communication with a dedicated C2 server, reducing its network footprint. Instead, it periodically polls Zulip channels for new instructions, which can include data exfiltration, lateral movement, or additional payload delivery.

Background: OceanLotus and PyPI Attacks

OceanLotus, also tracked as APT32 and SeaLotus, is a Vietnam-based threat actor active since at least 2012, known for targeting governments, media, and human rights groups across Southeast Asia. The group has historically used spear-phishing and watering hole attacks, but this is its first public use of a Python package repository for distribution.

“PyPI supply chain attacks are escalating globally, but OceanLotus bringing its full toolchain to open-source ecosystems marks a worrying shift,” noted Maria Korolova, a cybersecurity analyst tracking APT groups. The packages were removed from PyPI after Kaspersky reported them to the security community, but users who installed them before July 22 remain at risk.

What This Means for Developers and the Open-Source Community

This incident underscores the growing threat of supply chain attacks via trusted repositories like PyPI. Developers are urged to verify package authenticity by checking metadata, upload dates, and author history before installing. “If a package claims to be a utility but includes unusual dependencies or binary blobs, treat it with suspicion,” Petrov advised.

Organizations should also monitor outbound connections to chat application APIs, such as Zulip, that are not part of normal business workflows. The use of legitimate services as C2 channels makes traditional domain blocklists ineffective. Kaspersky has released indicators of compromise (IoCs) for the malicious packages and encourages threat hunters to check their networks for signs of ZiChatBot.

As OceanLotus continues to adapt its tactics, the security community must remain vigilant. This attack demonstrates that even well-known threat groups are embracing innovative delivery methods, and the line between legitimate software and malware grows ever thinner.