OceanLotus APT Uses PyPI Packages to Deliver ZiChatBot Malware

Executive Summary

Kaspersky researchers have uncovered a supply chain attack on the Python Package Index (PyPI) attributed to the OceanLotus APT group (also tracked as APT32). Since July 2025, the threat actor uploaded three malicious wheel packages — uuid32-utils, colorinal, and termncolor — that impersonate legitimate libraries to deliver a previously undocumented malware family dubbed ZiChatBot. Unlike conventional malware, ZiChatBot uses the public REST APIs of the Zulip team chat platform as its command-and-control (C2) infrastructure, making traffic blend with legitimate chat activity. The campaign targets both Windows and Linux environments, with the dropper extracting either a DLL or shared object (SO) payload depending on the host OS. Kaspersky confirmed the attribution through its Threat Attribution Engine (KTAE) and shared findings with the community, leading to the packages' removal from PyPI.

Technical Analysis

The attack chain begins when a victim installs one of the malicious wheel packages via pip. The packages uuid32-utils and colorinal contain the dropper directly, while termncolor — which appears benign — imports colorinal as a dependency, concealing the malicious code. Upon installation, the __init__.py script in the package executes unicode.py, which loads the dropper (terminate.dll on Windows, terminate.so on Linux) into the Python process. The dropper uses AES-CBC decryption with the key xterminalunicode to unpack ZiChatBot, establish persistence, and then self-deletes both the dropper and the malicious script files.

ZiChatBot communicates exclusively through Zulip's REST API, using a dedicated Zulip organization as its C2 channel. This design avoids traditional server infrastructure and makes detection more challenging, as the traffic appears as normal API calls to a legitimate service. The malware can receive commands, exfiltrate data, and update itself through the chat platform. Kaspersky noted that the packages offered x86 and x64 builds for Windows and x86_64 for Linux, indicating deliberate multi-platform targeting.

Indicators of Compromise

Kaspersky provided the following package metadata and file names associated with the campaign:

• Package: uuid32-utils (first uploaded 2025-07-16, author email: laz****@tutamail.com)
• Package: colorinal (first uploaded 2025-07-22, author email: sym****@proton.me)
• Package: termncolor (first uploaded 2025-07-22, author email: sym****@proton.me)
• Dropper (Windows): terminate.dll
• Dropper (Linux): terminate.so
• C2 API endpoint: Zulip organization API URLs (specific organization not disclosed by Kaspersky)

Full file hashes and additional IOCs are available in the Kaspersky Securelist report linked in the References section.

Tactics, Techniques & Procedures

OceanLotus employed a multi-stage supply chain compromise (T1195.001) by uploading trojanized packages to a public repository. Execution relies on user installation (T1204.002) of the malicious package. The malware uses Zulip's application-layer protocol for C2 (T1071.001), which is atypical for APT groups and complicates network detection. The dropper and script files self-delete after deployment, a defense evasion technique (T1036.005) that reduces forensic artifacts. Kaspersky's attribution to OceanLotus is based on KTAE analysis, which compares code similarities and infrastructure patterns to prior known campaigns.

Threat Actor Context

OceanLotus (APT32) is a Vietnamese state-sponsored threat group active since at least 2014, known for targeting foreign corporations, human rights groups, and governments, particularly in Southeast Asia. The group has a history of supply chain attacks and custom malware development. This campaign's use of PyPI and Zulip for C2 represents a tactical evolution, leveraging trusted platforms to evade detection. Kaspersky's confidence in attribution is high, though they note that some technical overlaps could also indicate a copycat group.

Mitigations & Recommendations

Organizations using Python packages should verify package integrity by checking hashes against official sources and reviewing package metadata for anomalies (e.g., recent upload dates, suspicious author emails). Developers should avoid installing packages from PyPI directly in production environments without scanning through a private repository or using dependency analysis tools. Network defenders should monitor for outbound API calls to Zulip endpoints from processes that do not normally use chat applications, and consider blocking or restricting access to unknown Zulip organizations. The malicious packages have been removed from PyPI, but any system that installed uuid32-utils, colorinal, or termncolor between July 2025 and the takedown should be treated as compromised and investigated for ZiChatBot infection.