KASPERSKY’S GReAT researchers say OceanLotus is suspected of distributing ZiChatBot malware via malicious wheel packages uploaded to PyPI from July 2025, with three packages designed to imitate legitimate libraries. The packages, uuid32-utils, colorinal and termncolor, were uploaded in 2025-07-16 and 2025-07-22, and each delivered a dropper that could deploy ZiChatBot on Windows or Linux. ZiChatBot itself uses Zulip’s public REST APIs as its command and control server, rather than a dedicated C2 host.
The Windows dropper extracts terminate[.]dll (and on Linux terminate[.]so) from the wheel, loads the dropper into the Python process, and then deploys ZiChatBot, which persists via a registry Run entry on Windows and a crontab job on Linux. The campaign was removed from PyPI after discovery, and OceanLotus is attributed as the threat actor in this supply-chain attack.