⚠️ Region Alert: UAE/Middle East
Security researchers have identified a sophisticated supply chain attack on the Python Package Index (PyPI) involving malicious wheel packages linked to the OceanLotus (APT32) group. The campaign, which began in July 2025, used packages such as uuid32-utils and colorinal to deliver a previously undocumented malware family named ZiChatBot. The attack utilized multi-stage droppers to target both Windows and Linux platforms, often concealing malicious intent by nesting infected packages as dependencies within seemingly benign libraries.
ZiChatBot is particularly notable for its command and control (C2) strategy, which eschews traditional infrastructure in favor of the public team chat application Zulip. By leveraging Zulip’s REST APIs for communication, the malware can receive and execute shellcode while blending into legitimate network traffic. This shift toward supply chain tactics and the expansion of targeting into regions like the Middle East demonstrates OceanLotus's evolving strategy to broaden its global impact beyond its traditional Asia-Pacific focus.
Top comments (0)