A sophisticated supply chain attack targeting the Python Package Index (PyPI) repository has been uncovered by cybersecurity researchers, revealing a previously unknown malware family dubbed ZiChatBot. This insidious threat is designed to compromise both Windows and Linux systems, utilizing a highly unconventional command-and-control (C2) infrastructure that leverages the public team chat application Zulip. The findings, disclosed by Russian cybersecurity firm Kaspersky, describe the operation as a "carefully planned and executed PyPI supply chain attack," raising significant concerns about the security of open-source software ecosystems and the evolving tactics of advanced persistent threat (APT) groups.
The Discovery of ZiChatBot and Its Novel C2 Mechanism
Kaspersky’s comprehensive analysis, detailed in their recent report, illuminated the presence of three malicious packages on PyPI that, while appearing to offer legitimate functionalities, served as covert conduits for ZiChatBot. What sets ZiChatBot apart from conventional malware is its innovative approach to C2 communication. Instead of relying on dedicated, easily identifiable C2 servers, the malware ingeniously integrates with the REST APIs of Zulip, a legitimate and widely used team communication platform. This tactic allows ZiChatBot to blend its malicious network traffic with benign communications, making detection significantly more challenging for traditional security solutions.
The use of legitimate services for C2 operations, often referred to as "living off the land" or "abuse of trusted services," represents a growing trend among sophisticated threat actors. By leveraging platforms like Zulip, attackers can effectively camouflage their activities within the noise of everyday internet traffic, bypassing network security controls that might otherwise flag suspicious connections to known malicious domains. Kaspersky highlighted that while the observed "wheel packages" (a standard Python distribution format) did implement the features advertised on their PyPI web pages, their primary objective was the surreptitious delivery of malicious payloads. This dual functionality is a hallmark of advanced supply chain attacks, where attackers aim to maintain a semblance of legitimacy to avoid early detection.
Chronology of the PyPI Supply Chain Compromise
The timeline of the attack indicates a concentrated effort to infiltrate the PyPI ecosystem. All three identified packages were uploaded to the repository within a brief six-day window, specifically between July 16 and July 22, 2025. This short burst of activity suggests a deliberate and coordinated deployment strategy by the threat actors. The malicious packages, which have since been removed from PyPI following Kaspersky’s disclosure, were identified as:
uuid32-utilscolorinaltermncolor
An intriguing aspect of this campaign involves the interdependencies among the malicious packages. While uuid32-utils and colorinal directly incorporated similar malicious payloads, termncolor presented itself as a seemingly benign utility. However, termncolor cleverly listed colorinal as a dependency, effectively creating a chain of infection where installing the seemingly innocuous termncolor would automatically pull in the malicious colorinal package. This "dependency confusion" technique is a well-documented method for compromising software projects, exploiting the reliance of modern development on vast networks of third-party libraries.
The rapid response by PyPI administrators in taking down these packages underscores the platform’s commitment to security, yet the incident highlights the persistent challenges in proactively identifying and neutralizing such threats within massive open-source repositories. The sheer volume of new packages and updates uploaded daily makes comprehensive manual vetting impractical, forcing repository maintainers to rely heavily on automated analysis and community-driven reporting.
Technical Deep Dive into ZiChatBot’s Mechanics
The operational mechanics of ZiChatBot demonstrate a robust, cross-platform design capable of infecting both Windows and Linux environments. The infection chain begins immediately upon the installation of any of the initial two malicious packages (uuid32-utils or colorinal).
On Windows systems, the installation process triggers the extraction of a dynamic-link library (DLL) dropper, named terminate.dll. This DLL is written to disk and subsequently loaded when imported into a project. Once executed, terminate.dll acts as the primary dropper for ZiChatBot. To ensure persistence, it establishes an auto-run entry within the Windows Registry, guaranteeing the malware executes upon system startup. Following successful installation and persistence establishment, the dropper attempts to delete itself from the host system, a common anti-forensic technique designed to erase traces of the initial compromise.
For Linux systems, the malware employs a similar shared object (SO) dropper, terminate.so. This Linux variant plants the ZiChatBot malware in the /tmp/obsHub/obs-check-update path, a location often used for temporary files, which can help it evade immediate suspicion. Persistence on Linux is achieved by configuring a crontab entry, a standard mechanism for scheduling tasks to run periodically or at system boot.
Regardless of the operating system, the core functionality of ZiChatBot remains consistent: it is engineered to execute shellcode received directly from its Zulip-based C2 server. After successfully executing a command or receiving instructions, the malware sends a "heart emoji" as a response back to the C2 server. This seemingly innocuous signal serves as a subtle, yet effective, confirmation mechanism for the attackers, indicating that the operation was successful and the compromised system remains active. This minimalist communication further reduces the network footprint and makes the C2 traffic harder to distinguish from legitimate Zulip API calls.
Attribution to OceanLotus (APT32): A Shifting Strategy
While definitive attribution in cybersecurity is often challenging, Kaspersky’s analysis points strongly towards OceanLotus, also known as APT32, a state-sponsored hacking group widely believed to be aligned with Vietnam. The primary piece of evidence linking ZiChatBot to OceanLotus is a significant "64% similarity" between the dropper utilized in this PyPI campaign and other droppers previously employed by APT32. Such code overlap, particularly in core components like droppers, is a strong indicator of shared development resources or operational methodologies.
OceanLotus has a well-documented history of engaging in cyber espionage campaigns, primarily targeting organizations and individuals of interest to the Vietnamese government, often focusing on human rights groups, media, and foreign corporations. Their past activities have demonstrated a high degree of sophistication and adaptability in their tactics, techniques, and procedures (TTPs).
A notable campaign attributed to OceanLotus occurred in late 2024, where the group was observed targeting the Chinese cybersecurity community. In that instance, attackers distributed poisoned Visual Studio Code projects that masqueraded as legitimate Cobalt Strike plugins. When compiled, these projects would automatically execute a trojan, compromising the developers’ systems. Interestingly, that particular malware campaign also utilized a public, legitimate service for its C2 infrastructure: the Notion note-taking service, according to an analysis by ThreatBook. This previous use of Notion for C2 further strengthens the hypothesis that the use of Zulip for ZiChatBot’s C2 aligns with APT32’s evolving strategy of leveraging trusted web services to evade detection.
Kaspersky explicitly noted that if the PyPI supply chain campaign is indeed the work of OceanLotus, it represents a significant strategic shift for the threat actor. Historically, OceanLotus has heavily relied on phishing emails as a primary initial infection vector. However, the move towards sophisticated supply chain attacks on major software repositories like PyPI indicates an expansion of their targeting scope and a diversification of their initial access methods.
Broader Implications and Industry Responses
The ZiChatBot campaign underscores the growing vulnerability of the open-source software supply chain. Developers globally rely on millions of open-source packages, and a compromise in even one widely used library can have a cascading effect, potentially infecting countless downstream applications and systems. This incident serves as a stark reminder that even trusted repositories like PyPI are not immune to sophisticated attacks orchestrated by well-resourced APT groups.
The implications for developers and organizations are substantial. The compromise of a developer’s environment through a malicious package can lead to intellectual property theft, corporate espionage, or the deployment of further destructive malware within an organization’s infrastructure. The fact that the malware targets both Windows and Linux, the predominant operating systems in development and server environments, highlights the broad reach and potential impact of such a threat.
Industry experts and organizations like PyPI’s security team continuously work to enhance security measures, including automated scanning for malicious code, reputation systems, and vulnerability reporting mechanisms. However, the ingenuity of threat actors, particularly those backed by state resources, often presents new challenges. The cybersecurity community generally advises developers to adopt stringent security practices, such as:
- Verifying Package Authenticity: Always check the legitimacy of packages before integration, looking for official sources, documentation, and community reputation.
- Implementing Supply Chain Security Tools: Utilizing tools that scan for vulnerabilities and malicious code within dependencies.
- Least Privilege Principle: Ensuring development environments and build systems operate with the minimum necessary permissions.
- Network Monitoring: Continuously monitoring network traffic for unusual patterns, including communication with legitimate services that might be abused for C2.
- Regular Audits: Performing periodic security audits of codebases and third-party dependencies.
The shift by APT groups like OceanLotus from traditional phishing to more complex supply chain attacks signifies a strategic evolution in cyber warfare. It reflects an understanding that compromising the tools and infrastructure used by developers can yield higher-value targets and broader impact. This trend necessitates a collaborative effort between repository maintainers, cybersecurity researchers, and the developer community to stay ahead of these increasingly sophisticated threats.
In conclusion, the discovery of ZiChatBot and its suspected links to OceanLotus represents a critical development in the ongoing battle for cybersecurity. It not only exposes a new malware family with an evasive C2 mechanism but also highlights the persistent and evolving threat landscape faced by the open-source software supply chain. As APT groups continue to refine their methodologies, the imperative for robust security practices, vigilant monitoring, and timely threat intelligence sharing becomes ever more critical in protecting global digital infrastructure.
