Cybersecurity experts have uncovered a troubling development involving the Python Package Index (PyPI). Three packages on this repository were found to be discreetly distributing a new malware strain known as ZiChatBot, targeting both Windows and Linux platforms. This discovery highlights the evolving nature of cyber threats and their impact on software supply chains.
Covert Operations Using Zulip APIs
Kaspersky, a renowned cybersecurity firm, revealed that the primary function of these PyPI packages was to deliver malicious payloads undetected. Uniquely, ZiChatBot circumvents traditional command-and-control methods by leveraging REST APIs from the Zulip chat application as its operational infrastructure. This innovative approach allows the malware to blend in with legitimate network traffic, complicating detection efforts.
The operation is characterized as a meticulously orchestrated supply chain attack. The involved packages, which have since been removed, included uuid32-utils, colorinal, and termncolor, with download counts of 1,479, 614, and 387 respectively. These packages were uploaded to PyPI in a brief span between July 16 and 22, 2025, showcasing the attackers’ strategic timing.
Technical Breakdown and Impact
On Windows, the installation of uuid32-utils or colorinal triggers the deployment of a DLL dropper named “terminate.dll.” Once integrated into a project, this dropper initiates ZiChatBot, modifies the Windows Registry for persistence, and self-destructs to minimize traces. On Linux systems, the malware is embedded using a shared object dropper “terminate.so,” placed in the “/tmp/obsHub/obs-check-update” directory and scheduled via crontab for execution.
Regardless of the operating system, ZiChatBot executes commands received through its C2 server, confirming task success with a heart emoji. This sophisticated communication method signals a successful operation, further complicating efforts to track and mitigate the threat.
Potential Links to OceanLotus
The identity of the attackers remains uncertain, though Kaspersky notes a significant resemblance between the dropper used in this campaign and one attributed to the Vietnam-linked hacking group OceanLotus, also known as APT32. This group has a history of targeting various sectors, including the Chinese cybersecurity community, using innovative techniques like tampered Visual Studio Code projects.
If OceanLotus is indeed behind this PyPI campaign, it marks a strategic expansion of their attack methodologies, moving beyond traditional phishing to embrace supply chain vulnerabilities. This shift underscores the importance of vigilance and the need for robust defenses against evolving cyber threats.
As cyber attacks grow in complexity, organizations must remain alert and adopt comprehensive security measures to safeguard their infrastructure. Awareness and proactive strategies are essential in mitigating the risks posed by sophisticated adversaries such as those potentially involved in this campaign.
