Three malicious Python packages distributed via PyPI spent nearly ten months delivering a previously unknown cross-platform backdoor to developer workstations before removal from the registry, with Kaspersky researchers identifying a 64 percent code overlap with tooling attributed to OceanLotus, a Vietnam-aligned nation-state threat actor with a documented history of software supply-chain operations.
ZiChatBot Packages Uploaded in July 2025 Accumulated 2,480 Downloads Before Discovery
Kaspersky disclosed the campaign, identifying three packages — uuid32-utils (1,479 downloads), colorinal (614 downloads), and termncolor (387 downloads) — as delivering a backdoor designated ZiChatBot. All three packages were uploaded to PyPI in July 2025 and remained accessible until the disclosure in May 2026, a dwell window of approximately ten months during which developers on both Windows and Linux unknowingly introduced the malware into their development environments.
The package names were selected to blend with legitimate Python developer tooling. uuid32-utils mimicked common UUID utility libraries; colorinal and termncolor impersonated terminal formatting packages — a category with consistently high ambient download rates among Python developers. The familiar naming conventions reduced the likelihood that any individual installation would prompt manual security review.
How ZiChatBot Abused Zulip’s Public REST API to Mask Command-and-Control Traffic
ZiChatBot’s most distinctive technical attribute is its use of Zulip’s publicly accessible team-chat REST API as a command-and-control channel. Rather than operating dedicated C2 servers — which generate network fingerprints that threat intelligence platforms can flag and block — ZiChatBot transmitted operator commands and exfiltrated data as Zulip API calls. On networks where Zulip is an approved collaboration tool, this traffic appears indistinguishable from normal business use.
On Windows systems, ZiChatBot dropped a malicious DLL and wrote autorun entries to the Windows Registry to ensure persistence across reboots. On Linux, it planted a crontab entry for equivalent persistence. Once resident, the malware retrieved shellcode packages through the Zulip channel and executed them in memory, enabling operators to issue arbitrary instructions without deploying additional recognizable binaries to disk.
OceanLotus Code Similarity and the Limits of Attribution
Kaspersky’s reverse-engineering of the dropper component found a 64 percent code similarity with tools previously attributed to OceanLotus, also designated APT32 — a threat actor assessed to operate in alignment with Vietnamese national intelligence interests. OceanLotus has a documented history of supply-chain operations and targeting of corporate and government entities across Southeast Asia and beyond, making the connection operationally plausible.
Researchers explicitly cautioned that code similarity alone does not confirm attribution. Threat actors frequently repurpose shared codebases, purchase tooling through underground markets, or deliberately embed artifacts from peer group code to mislead investigators. Kaspersky designated the OceanLotus connection as a working hypothesis requiring additional corroborating evidence before attribution can be established with confidence.
PyPI Removal and the Exposure Window for Affected Developers
PyPI administrators removed the three packages following Kaspersky’s disclosure. The ten-month active window illustrates a persistent vulnerability in open-source package ecosystem security: malicious packages that generate gradual, organic download volumes through plausible names often avoid the anomaly-detection signals that flag sudden high-volume uploads or packages with no documented community history.
Developers who installed any of the three packages between July 2025 and May 2026 should treat affected machines as potentially compromised. Recommended response actions include rotating all credentials stored or accessible from those systems — covering cloud access keys, source code repository tokens, CI/CD pipeline secrets, and code-signing certificates — auditing Windows Registry autorun entries and Linux crontab schedules for unauthorized persistence entries, and investigating running processes and memory for evidence of shellcode execution.
The ZiChatBot campaign continues a documented trend of legitimate SaaS platform abuse for C2 communications. Threat actors have previously used Slack, Google Forms, and Telegram as covert instruction channels, selecting platforms pervasive enough in enterprise environments that blocking them would cause operational disruption. Developer workstations remain premium supply-chain targets: compromise of a single developer machine can yield access to source code repositories, cloud infrastructure credentials, and build pipeline secrets, enabling downstream attacks on any organization that deploys the affected developer’s software.
