Kaspersky's GReAT team discovered a series of malicious Python wheel packages uploaded to PyPI starting July 2025, attributed with moderate confidence to the OceanLotus APT group. Three fake packages — uuid32-utils, colorinal, and termncolor — acted as droppers for a previously unknown malware family called ZiChatBot, targeting both Windows and Linux. The infection chain extracts a DLL or .SO dropper from the wheel package, establishes persistence via registry (Windows) or crontab (Linux), then deploys ZiChatBot. Notably, ZiChatBot uses Zulip's public REST APIs as its C2 infrastructure instead of traditional dedicated servers, making detection harder. The malicious packages have since been removed from PyPI and the Zulip organization deactivated. No confirmed infections were observed. The campaign is consistent with OceanLotus's expanding supply chain attack strategy, following a similar GitHub-based phishing campaign in early 2025.
Table of contents
IntroductionTechnical detailsInfrastructureVictimsAttributionConclusionsIndicators of compromiseSort: