OceanLotus Hijacks PyPI to Deploy “ZiChatBot” via Enterprise Chat APIs

In a calculated move that signals the expansion of state-sponsored threats into open-source repositories, researchers at Kaspersky Labs have uncovered a sophisticated supply chain attack on PyPI (the Python Package Index). The campaign, which began in July 2025, is linked to OceanLotus, an APT group historically focused on the Asia-Pacific region that is now casting a much wider net.

By disguising malicious code within functional “wheel” packages, the attackers have successfully targeted Python developers globally, delivering a previously undocumented malware family named ZiChatBot.

The attack is notable for its use of multi-layered deception. The threat actors uploaded several malicious packages to PyPI that appeared to perform legitimate tasks. To further hide their intent, they created “benign-looking” wrapper packages that included the malicious components as dependencies.

According to the Kaspersky report, “While these wheel packages do implement the features described on their PyPI web pages, their true purpose is to covertly deliver malicious files”.

These files, which can be either .DLL (Windows) or .SO (Linux) shared libraries, act as droppers for the final payload, demonstrating the group’s ability to target multiple operating systems simultaneously.

The final payload, dubbed ZiChatBot, breaks from traditional malware design. Instead of communicating with a dedicated, easily-blocked command-and-control (C2) server, it hides its traffic within the noise of a popular workplace application.

The report reveals that, “Unlike traditional malware, ZiChatBot does not communicate with a dedicated command and control (C2) server, but instead uses a series of REST APIs from the public team chat app Zulip as its C2 infrastructure”.

By leveraging Zulip’s legitimate infrastructure, the malware ensures its communications blend in with standard enterprise web traffic, making it exceptionally difficult for network security tools to flag as malicious.

Kaspersky’s Threat Attribution Engine (KTAE) found a 64% similarity between the ZiChatBot dropper and previous tools used by OceanLotus. Reverse engineering further confirmed this link, showing that both use “nearly identical algorithms and logic” for decrypting and decompressing their payloads.

While OceanLotus has traditionally targeted the Asia-Pacific region, this campaign shows a clear intent to move into the Middle East and target Python users worldwide. This shift mirrors a broader trend observed in early 2025, where the group began diversifying its initial infection methods beyond phishing to include platform-based attacks on GitHub and PyPI.

As OceanLotus continues to explore “diverse supply chain attacks,” the responsibility falls on developers to verify the lineage of their dependencies.