OceanLotus PyPI Attack: Delivering ZiChatBot Malware via Fake Python Libraries

Beginning in July 2025, cybersecurity researchers discovered a series of malicious Python wheel packages uploaded to the Python Package Index (PyPI). These packages, attributed to the threat actor OceanLotus (also known as APT32), were designed to impersonate popular libraries and covertly deliver a previously unknown malware family named ZiChatBot. Unlike traditional malware that relies on dedicated command-and-control servers, ZiChatBot leverages the public API of the Zulip team chat app to receive instructions. This supply chain attack underscores the growing risk of compromised open-source repositories. Below, we answer key questions about this campaign.

What is OceanLotus, and why is this PyPI attack significant?

OceanLotus, also tracked as APT32, is a cyberespionage group widely believed to be sponsored by the Vietnamese government. They have historically targeted foreign governments, corporations, and human rights organizations with custom malware and phishing campaigns. This PyPI attack is significant because it marks a shift toward supply chain compromise using legitimate open-source repositories. By uploading malicious wheel packages that mimic trusted libraries like uuid32-utils, colorinal, and termncolor, the attackers aimed to trick developers into installing backdoored software. The activity began in July 2025 and was swiftly reported to the security community, leading to removal of the packages. However, it highlights how threat actors can exploit the trust inherent in package managers.

How were the malicious PyPI packages discovered?

Security researchers at a prominent cybersecurity firm detected the suspicious packages during routine threat hunting. They observed a spike in uploads of Python wheel files that appeared to be legitimate but contained hidden malicious code. The packages were reported to the public security community, and PyPI administrators promptly removed them. Following removal, the samples were submitted to the Kaspersky Threat Attribution Engine (KTAE) for deeper analysis. KTAE correlated the malware with indicators previously linked to OceanLotus in intelligence reports. This collaborative effort between researchers, repository maintainers, and threat intelligence platforms enabled rapid identification and takedown, though the campaign may have already compromised some users.

What are the fake packages and how do they trick users?

The attackers created three PyPI projects that impersonated legitimate-sounding libraries. The first was uuid32-utils, described as a UUID generator; the second, colorinal, for cross-platform colored terminal output; and the third, termncolor, for ANSI color formatting. Each package had a plausible pip install command and appeared functional at first glance. For example, pip install uuid32-utils would install uuid32_utils-1.x.x-py3-none-[OS platform].whl, uploaded with author email laz****@tutamail.com. The packages were made available for Windows (x86, x64) and Linux (x86_64). To evade detection, the attackers included a benign-looking package as a dependency that contained the actual malicious code, making the infection chain harder to trace.

How does the infection chain work for the malicious packages?

Once a user installs one of the fake packages (using colorinal as an example), the package executes as a dropper. It delivers a hidden payload—either a .DLL file for Windows systems or a .so shared library for Linux systems. This payload is the ZiChatBot malware itself. The infection chain is designed to be stealthy: the malicious files are not directly accessible from the PyPI page, and the packages implement the advertised features while covertly dropping the malware. The uuid32-utils and colorinal libraries follow a similar pattern, using obfuscation techniques common in supply chain attacks. The termncolor package, though identical in intent, may have variant metadata.

What is ZiChatBot malware and how does it communicate with attackers?

ZiChatBot is a previously undocumented malware family that functions as a remote access trojan (RAT). Its most distinctive feature is its command-and-control (C2) mechanism: rather than using a dedicated server, it abuses the public REST APIs of Zulip, a widely used team chat application. This allows the malware to blend in with legitimate network traffic, as it communicates over standard HTTP/HTTPS to Zulip’s cloud endpoints. The bot can receive commands, exfiltrate data, and update itself without raising suspicion. Using a popular service as C2 infrastructure is an advanced evasion technique that makes detection by traditional network monitoring tools more difficult. This method also lowers operational costs for the attackers, as they don’t need to host their own servers.

What are the implications of this attack for developers and organizations?

This supply chain attack demonstrates that open-source package repositories like PyPI are an attractive vector for targeted intrusions. Developers who pip-installed any of the fake packages between July 16 and July 22, 2025 may have inadvertently infected their development environments. The malware can affect both Windows and Linux systems, potentially leading to data theft, credential harvesting, or lateral movement within a network. Organizations should educate their developers about verifying package authenticity, using tools like pip audit or hash verification, and monitoring for suspicious dependencies. Additionally, this incident reinforces the need for rapid incident response and collaboration between security vendors and repository maintainers to minimize exposure.