Black & White Path

May 11, 2026 · Information Security

How OceanLotus weaponized PyPI to deliver ZiChatBot malware using Zulip as C2

OceanLotus (APT32) hijacked three innocuous PyPI packages—uuid32-utils, colorinal, and termncolor—to drop the ZiChatBot malware, which persists via registry or crontab and communicates through the Zulip public chat REST API, making its traffic indistinguishable from legitimate developer traffic and evading network‑based detection.