ZiChatBot: OceanLotus APT Uses Zulip Chat APIs as Covert Command and Control in PyPI Supply Chain Attack

A newly discovered malware family dubbed ZiChatBot has been found abusing the REST APIs of Zulip — a legitimate open-source team chat platform — to receive commands from its operators without ever contacting a suspicious external server. The campaign, linked with moderate confidence to the OceanLotus APT group (APT32), marks a significant evolution in how state-aligned threat actors blend malicious traffic into trusted communication platforms to evade detection.

How ZiChatBot Works: Abusing Legitimate APIs for Command and Control

Rather than communicating with a private command-and-control server that security tools could flag or block, ZiChatBot routes all activity through Zulip’s public REST API. The malware sends HTTP requests to the legitimate chat service, letting its traffic blend in seamlessly with normal developer communication. Authentication is handled through an API token embedded within each HTTP request header.

ZiChatBot operates through two separate channel-topic pairs within the Zulip platform:

• One pair sends basic system information about the infected machine back to the attacker
• The other retrieves messages containing shellcode, which ZiChatBot then executes in a new thread

Once a command runs, the malware replies with a heart emoji in the chat to signal successful completion — a detail that illustrates just how carefully attackers designed the operation to mimic routine messaging activity.

PyPI Supply Chain Attack: The Initial Infection Vector

The threat was uncovered following the discovery of a series of malicious Python packages on PyPI, the widely used Python Package Index, starting in July 2025. Researchers at Securelist identified three fake libraries uploaded to PyPI, each named to closely resemble tools that developers use in everyday projects:

• uuid32-utils — Impersonated a legitimate UUID utility library
• colorinal — Disguised as a terminal color formatting tool
• termncolor — Especially deceptive: it listed colorinal as a dependency, meaning anyone who installed termncolor would unknowingly trigger the full infection chain

Once installed, these packages silently dropped the ZiChatBot payload onto the victim’s system. The dropper used AES encryption in CBC mode to hide sensitive strings and embedded payloads, and after deploying ZiChatBot, it executed shellcode to self-delete, wiping traces of the initial infection.

Cross-Platform Persistence: Windows and Linux

ZiChatBot targets both Windows and Linux systems, making it a cross-platform threat capable of reaching a wide range of developers and machines.

On Windows, the payload is a DLL named libcef.dll, loaded through a legitimate executable called vcpktsvr.exe. Persistence is established by writing a registry auto-run entry, ensuring ZiChatBot restarts each time the user logs in.

On Linux, the payload resides at /tmp/obsHub/obs-check-update and uses a crontab entry to maintain access on infected systems.

OceanLotus (APT32) Attribution

The Kaspersky Threat Attribution Engine flagged a 64% code similarity between the ZiChatBot dropper and a dropper previously linked to the OceanLotus APT group — a well-established threat actor that has historically focused on targets in the Asia-Pacific region. Recent activity shows the group pushing beyond its traditional boundaries, including campaigns in the Middle East and now this global supply chain attack through PyPI.

This shift reflects a deliberate effort by the group to broaden its reach by targeting trusted public platforms that developers rely on daily, maximizing the potential victim pool while keeping detection difficult.

Current Status and Recommended Defenses

The malicious packages have since been removed from PyPI, and the Zulip organization used by the attackers has been officially deactivated. However, researchers warn that already-infected systems may still attempt to contact the deactivated Zulip endpoint, meaning cleanup on compromised machines remains critical.

Recommended defensive measures include:

• Add helper.zulipchat.com to network denylists to identify machines still reaching out to attacker infrastructure
• Audit Python environments for the presence of uuid32-utils, colorinal, or termncolor
• Check for libcef.dll loaded by vcpktsvr.exe on Windows systems
• Inspect crontab entries and /tmp/obsHub/ on Linux systems for persistence artifacts
• Monitor network traffic for anomalous API calls to zulipchat.com domains

This campaign underscores a growing trend of threat actors leveraging trusted developer ecosystems and legitimate SaaS platforms to deliver malware and evade detection — a tactic that demands heightened vigilance across development pipelines and CI/CD environments.