OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI

Description

Between July 2025 and present, threat actors suspected to be OceanLotus distributed malicious wheel packages through PyPI targeting both Windows and Linux platforms. Three fake libraries (uuid32-utils, colorinal, and termncolor) were created to imitate legitimate packages, implementing a sophisticated supply chain attack. The packages deployed droppers that delivered ZiChatBot, a previously unknown malware family using Zulip's REST APIs as command and control infrastructure instead of traditional C2 servers. The malware supports executing shellcode commands and establishes persistence through registry keys on Windows or crontab on Linux. Attribution to OceanLotus is based on 64% similarity with known droppers analyzed by KTAE system. The malicious packages were swiftly removed from PyPI following discovery.