How to Detect and Analyze PyPI Supply Chain Attacks: The OceanLotus ZiChatBot Case Study

Introduction

Supply chain attacks targeting the Python Package Index (PyPI) have become a favored tactic for advanced threat actors. In a recent campaign, the group known as OceanLotus (also tracked as APT32 or SeaLotus) exploited PyPI to distribute a novel malware family called ZiChatBot. Unlike traditional backdoors, ZiChatBot uses the legitimate Zulip chat API as its command-and-control (C2) infrastructure, evading standard detection methods. This guide walks you through the steps to identify, analyze, and respond to similar supply chain attacks, using the OceanLotus operation as a reference. By following these steps, you can enhance your threat-hunting capabilities and protect your environment from malicious PyPI packages.

How to Detect and Analyze PyPI Supply Chain Attacks: The OceanLotus ZiChatBot Case Study
Source: securelist.com

What You Need

Step-by-Step Guide

Step 1: Monitor PyPI for Suspicious Uploads

Begin by setting up automated monitoring for new or updated packages on PyPI. Use publicly available APIs or services (e.g., PyPI RSS feeds, or tools like pip-audit with custom rules). Look for signs of typosquatting – packages with names similar to popular libraries (e.g., uuid32-utils mimicking uuid, colorinal similar to colorama, termncolor). Check upload dates; in this case, the malicious wheels appeared in July 2025. Pay attention to author email addresses that are from privacy-focused providers like tutamail.com or proton.me – while legitimate, these can be red flags when combined with suspicious naming.

Step 2: Analyze Package Metadata and Download Counts

Examine the PyPI page for each suspicious package. Note the pip install command, file name, first upload date, and author/email. For example, pip install uuid32-utils leads to uuid32_utils-1.x.x-py3-none-[OS platform].whl uploaded on 2025-07-16 by laz****@tutamail.com. Check if the package offers multiple platform-specific wheels (win32, win_amd64, linux_x86_64). This indicates multi-OS targeting. Also look at download statistics – a sudden spike might indicate a targeted push. In OceanLotus’s case, the packages were quickly removed after public disclosure, so low download counts may still indicate malicious intent.

Step 3: Inspect the Wheel Package Contents

Download the wheel file (preferably in a sandbox). Extract the .whl (which is just a zip) and examine its structure. Look for unusual files such as .dll or .so files placed inside. The colorinal package, for instance, contained a shared library that acts as a dropper. Check the setup.py or pyproject.toml for non-standard scripts or data files. Use unzip or 7zip to extract. Note the presence of __init__.py – if it imports the malicious shared library, that’s a strong indicator. Examine the wheel’s metadata (WHEEL, METADATA, RECORD) for anomalies.

Step 4: Reverse Engineer the Dropper Component

Focus on the .dll or .so payload. For Windows, use pefile to extract PE headers, imports, and exports. For Linux, use readelf or radare2. Identify the functionality – in this case, the dropper extracts and runs the final payload (ZiChatBot). Look for strings related to Zulip API endpoints or REST API calls. Use a debugger (x64dbg for Windows, gdb for Linux) to trace execution in a sandbox. The dropper may also check for virtual environments to evade analysis – monitor for anti-debugging tricks.

Step 5: Extract and Analyze the ZiChatBot Payload

The final payload, ZiChatBot, is a previously unknown malware that leverages the Zulip API for C2. Once you have the extracted payload, perform static analysis: parse its configuration for hardcoded Zulip server URLs, authentication tokens, or API keys. Check for encryption routines – ZiChatBot may encrypt its traffic using TLS. Run the malware in a sandbox with network simulation. Observe HTTP requests to Zulip endpoints (e.g., https://api.zulip.com/v1/messages). The bot likely uses a combination of channel subscriptions and message polling to receive commands. Document the API calls, parameters, and response handling.

How to Detect and Analyze PyPI Supply Chain Attacks: The OceanLotus ZiChatBot Case Study
Source: securelist.com

Step 6: Correlate with Threat Intelligence

Submit your findings to attribution engines like Kaspersky Threat Attribution Engine (KTAE) or MITRE ATT&CK. Compare the code structures, tactics, and infrastructure with known OceanLotus campaigns. In this case, KTAE linked the packages to OceanLotus. Look for common indicators: use of privacy-focused emails, similar dropper patterns, targeting of both Windows and Linux, and reliance on legitimate services for C2. Also check for overlaps with previously reported IOCs (IPs, domains, file hashes). This step helps confirm the threat actor and informs defensive actions.

Step 7: Implement Detection and Mitigation

Based on your analysis, develop detection rules. For PyPI packages, create YARA rules that flag packages containing shared libraries with specific strings (e.g., Zulip-related APIs). Set up monitoring for unusual DLL/so files in Python installation directories. Deploy network detection for Zulip API endpoints that are not normally used by internal applications. Consider blocking installation of packages from suspicious authors or email domains. For users, educate developers to verify package authenticity before pip install – especially when the package imitates a popular library. Implement supply chain security tools like pip-audit or use private package repositories with vetting processes.

Tips for Success

Recommended

Discover More

Linux 7.0 Kernel Launches as Age Verification Laws and New Hardware Dominate AprilLinkedIN Faces Austrian Lawsuit Over Paywalled Profile Views: GDPR Violation AllegedGRU Hackers Hijack 18,000 Routers in Global Token Theft CampaignDeclining U.S. Birth Rate Triggers New Political Debate Over Family SupportsHow to Exploit Polymarket: A Guide to Manipulating Prediction Markets