How OceanLotus weaponized PyPI to deliver ZiChatBot malware using Zulip as C2

Attack Overview: PyPI Supply‑Chain Campaign

From 2025‑07‑16 to 2025‑07‑22 the threat group OceanLotus (APT32) published three seemingly benign Python packages on PyPI— uuid32-utils, colorinal and termncolor. Together they accumulated more than 2,480 downloads. termncolor itself contains no malicious code, but its setup.py declares colorinal as a dependency, creating a dependency‑chain poisoning vector that widens the exposure surface.

The attackers also crafted a camouflage layer: the colorinal project page appears legitimate, while uuid32-utils and colorinal are listed as pre‑install dependencies of termncolor, further diluting the presence of malicious code.

Infection Chain Dissection: From pip install to Persistence

Using colorinal as an example, the full infection flow is:

pip install colorinal
        │
        ▼
Install wheel package
        │
        ▼
Python import triggers dropper
        │
        ▼
Extract terminate.dll (Windows) / terminate.so (Linux)
        │
        ▼
Load dropper → extract ZiChatBot main payload
        │
        ▼
Establish persistence:
   Windows: Registry Run key
   Linux:   crontab entry
        │
        ▼
Begin communication with Zulip C2

Windows Infection Path

After installation the malicious code extracts terminate.dll to disk and loads it via a legitimate Windows executable vcpktsvr.exe. The DLL acts as a dropper, planting the ZiChatBot payload, writing a Run‑key autostart entry in the registry, and then self‑deleting.

Linux Infection Path

The Linux variant drops terminate.so under /tmp/obsHub/obs-check-update and schedules periodic execution via a crontab entry. Placing the file in /tmp reduces forensic footprints because most system logs do not record detailed operations in that directory.

C2 Innovation: Zulip REST API as Command Channel

ZiChatBot’s C2 traffic is entirely routed through the public Zulip chat platform’s REST API, making it indistinguishable from normal developer traffic on Zulip.

Why Traditional C2 Fails

Conventional malware C2 uses self‑hosted IPs or DGA domains, which can be blocked by threat‑intel feeds or detected by IDS/IPS rules. Zulip’s legitimate TLS‑encrypted traffic bypasses such signatures.

Zulip as C2

Communication follows two independent channel‑topic pairs:

ZiChatBot            Zulip API                Attacker console
    │                 │                       │
    │ GET /api/v1/messages                │
    │ (HTTP request with API Token)        │
    ├────────────────────────────►│
    │◄────────────────────────────┤  Read encrypted message (contains shellcode)
    │                 │                       │
    │ POST /api/v1/messages               │
    │ (send heartbeat emoji)               │
    ├────────────────────────────►│◄────────────────────────────┤

Each HTTP request carries a Zulip API token in the Authorization header, but the traffic pattern matches that of a normal Zulip client, rendering WAF and network‑traffic analysis ineffective.

Channel A returns basic system information from the infected host; Channel B receives messages that contain encoded shellcode, which the dropper executes in a new thread and acknowledges by posting a heart‑emoji (❤️) back to the channel.

Shellcode Execution Mechanism

Parse the shellcode payload from the message body (encoded form).

Execute the shellcode in a newly created thread.

Send a ❤️ reaction on Channel B as a success signal.

This architecture lets the attacker push arbitrary commands—file operations, network scans, credential theft, lateral movement—all over Zulip’s legitimate encrypted channel.

Attribution: OceanLotus Fingerprint

Kaspersky Threat Attribution Engine (KTAE) found a 64 % code similarity between the ZiChatBot dropper and known OceanLotus dropper samples.

OceanLotus, a Vietnam‑based state‑aligned APT, has historically targeted governments, media, and human‑rights groups in Southeast Asia. In late 2024 it poisoned Visual Studio Code extensions and used Notion as C2. The current PyPI campaign marks a shift toward weaponizing trusted developer infrastructure.

2017‑2019  │ Spear‑phishing + malicious Office docs
2019‑2022  │ Watering‑hole + browser‑exploit chains
2023‑2024  │ VS Code project poisoning + Notion C2
2025+      │ PyPI supply‑chain attack + Zulip API C2

Mitigation Progress

Kaspersky reported the malicious packages to PyPI, which removed them and disabled the associated Zulip account. However, infected systems may still attempt to contact the now‑disabled Zulip endpoint, providing a strong IoC for detection.

Compromised hosts remain active threats.

Repeated HTTP requests to the disabled domain constitute a reliable indicator of compromise.

Enterprises should proactively scan internal networks for such anomalous traffic.

Future Trend: Weaponization of Trusted Infrastructure

The ZiChatBot case exemplifies a broader trend where attackers embed C2 channels in legitimate services, undermining the assumption that “traffic from a suspicious IP equals malicious”. Anticipated developments include:

More package‑manager ecosystems (e.g., NPM) becoming high‑value targets.

Increased abuse of chat/SaaS platforms such as Slack, Discord, and Telegram Bot API for C2.

Dependency‑chain poisoning becoming a mainstream tactic, exemplified by the multi‑layer termncolor → colorinal chain.

Covert channels hidden in normal traffic, with simple emojis as ACK signals paving the way for more sophisticated encoding schemes.

For developers and security teams, the key takeaway is “trust but verify” every pip install and every seemingly benign HTTP request.

References:

https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/

https://thehackernews.com/2026/05/pypi-packages-deliver-zichatbot-malware.html

https://cybersecuritynews.com/new-zichatbot-malware-uses-zulip-rest-apis/

https://www.cryptika.com/new-zichatbot-malware-uses-zulip-rest-apis-as-command-and-control-server/