OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI
Essential information
- Published
- 06/05/2026 17:01
- Modified
- 07/05/2026 08:42
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cross-platform dropper pypi python packages supply chain attack wheel packages zichatbot zulip c2
- Tags
- 2026-05-06 cross-platform dropper pypi python packages supply chain attack wheel packages zichatbot zulip c2
- Related entities
- 10 indicators, 10 observables, 1 intrusion sets (apt), 16 techniques (mitre), 1 malware, 1 others
Description
Between July 2025 and present, threat actors suspected to be OceanLotus distributed malicious wheel packages through PyPI targeting both Windows and Linux platforms. Three fake libraries (uuid32-utils, colorinal, and termncolor) were created to imitate legitimate packages, implementing a sophisticated supply chain attack. The packages deployed droppers that delivered ZiChatBot, a previously unknown malware family using Zulip's REST APIs as command and control infrastructure instead of traditional C2 servers. The malware supports executing shellcode commands and establishes persistence through registry keys on Windows or crontab on Linux. Attribution to OceanLotus is based on 64% similarity with known droppers analyzed by KTAE system. The malicious packages were swiftly removed from PyPI following discovery.