OceanLotus Campaign Distributes ZiChatBot Malware via PyPI Packages

Severity: High (Score: 69.5)

Sources: Ground.News, cybernoz.com, Securelist, Thehackernews, malware.news

Summary

Beginning in July 2025, malicious wheel packages were uploaded to the Python Package Index (PyPI) by the OceanLotus group, delivering a new malware family named ZiChatBot. This malware targets both Windows and Linux systems, utilizing REST APIs from the Zulip chat app for command and control instead of traditional servers. The attack method involved creating benign-looking packages that included malicious dependencies, effectively concealing the malware. Kaspersky's Threat Attribution Engine linked these packages to OceanLotus, confirming the campaign as a supply chain attack. The malicious packages were removed from PyPI after detection, but the incident highlights the ongoing risks associated with software supply chains. Security professionals are urged to remain vigilant against similar threats. Key Points: • OceanLotus used PyPI to distribute ZiChatBot malware through malicious wheel packages. • The malware operates on both Windows and Linux, utilizing Zulip APIs for C2. • Packages were designed to appear benign, concealing their malicious intent.

Key Entities

• OceanLotus (apt_group)
• Malware (attack_type)
• Phishing (attack_type)
• Supply Chain Attack (attack_type)
• backward.so (domain)
• helper.zulipchat.com (domain)
• kaspersky.com (domain)
• securelist.com (domain)
• terminate.so (domain)
• ZiChatBot (malware)
• 1995682d600e329b7833003a01609252 (md5)
• 22538214a3c917ff3b13a9e2035ca521 (md5)
• 38b75af6cbdb60127decd59140d10640 (md5)
• 454b85dc32dc8023cd2be04e4501f16a (md5)
• 5598baa59c716590d8841c6312d8349e (md5)
• T1053.005 - Scheduled Task (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1071.001 - Web Protocols (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1195 - Supply Chain Compromise (mitre_attack)
• Linux (platform)
• Windows (platform)
• Zulip (tool)