Introduction
Supply chain attacks targeting the Python Package Index (PyPI) have become a favored tactic for advanced threat actors. In a recent campaign, the group known as OceanLotus (also tracked as APT32 or SeaLotus) exploited PyPI to distribute a novel malware family called ZiChatBot. Unlike traditional backdoors, ZiChatBot uses the legitimate Zulip chat API as its command-and-control (C2) infrastructure, evading standard detection methods. This guide walks you through the steps to identify, analyze, and respond to similar supply chain attacks, using the OceanLotus operation as a reference. By following these steps, you can enhance your threat-hunting capabilities and protect your environment from malicious PyPI packages.
What You Need
- A Python environment for testing (preferably isolated, such as a virtual machine or container)
- Access to a package repository like PyPI or an internal mirror
- Static analysis tools: pyew, pefile, radare2, or Ghidra
- Dynamic analysis sandbox (e.g., Cuckoo Sandbox, CAPE)
- Network monitoring tools (Wireshark, tcpdump)
- Threat intelligence feeds and attribution engines (like Kaspersky Threat Attribution Engine)
- A REST API client (Postman) for testing Zulip endpoints (if applicable)
- Basic familiarity with Python packaging and malware analysis
Step-by-Step Guide
Step 1: Monitor PyPI for Suspicious Uploads
Begin by setting up automated monitoring for new or updated packages on PyPI. Use publicly available APIs or services (e.g., PyPI RSS feeds, or tools like pip-audit with custom rules). Look for signs of typosquatting – packages with names similar to popular libraries (e.g., uuid32-utils mimicking uuid, colorinal similar to colorama, termncolor). Check upload dates; in this case, the malicious wheels appeared in July 2025. Pay attention to author email addresses that are from privacy-focused providers like tutamail.com or proton.me – while legitimate, these can be red flags when combined with suspicious naming.
Step 2: Analyze Package Metadata and Download Counts
Examine the PyPI page for each suspicious package. Note the pip install command, file name, first upload date, and author/email. For example, pip install uuid32-utils leads to uuid32_utils-1.x.x-py3-none-[OS platform].whl uploaded on 2025-07-16 by laz****@tutamail.com. Check if the package offers multiple platform-specific wheels (win32, win_amd64, linux_x86_64). This indicates multi-OS targeting. Also look at download statistics – a sudden spike might indicate a targeted push. In OceanLotus’s case, the packages were quickly removed after public disclosure, so low download counts may still indicate malicious intent.
Step 3: Inspect the Wheel Package Contents
Download the wheel file (preferably in a sandbox). Extract the .whl (which is just a zip) and examine its structure. Look for unusual files such as .dll or .so files placed inside. The colorinal package, for instance, contained a shared library that acts as a dropper. Check the setup.py or pyproject.toml for non-standard scripts or data files. Use unzip or 7zip to extract. Note the presence of __init__.py – if it imports the malicious shared library, that’s a strong indicator. Examine the wheel’s metadata (WHEEL, METADATA, RECORD) for anomalies.
Step 4: Reverse Engineer the Dropper Component
Focus on the .dll or .so payload. For Windows, use pefile to extract PE headers, imports, and exports. For Linux, use readelf or radare2. Identify the functionality – in this case, the dropper extracts and runs the final payload (ZiChatBot). Look for strings related to Zulip API endpoints or REST API calls. Use a debugger (x64dbg for Windows, gdb for Linux) to trace execution in a sandbox. The dropper may also check for virtual environments to evade analysis – monitor for anti-debugging tricks.
Step 5: Extract and Analyze the ZiChatBot Payload
The final payload, ZiChatBot, is a previously unknown malware that leverages the Zulip API for C2. Once you have the extracted payload, perform static analysis: parse its configuration for hardcoded Zulip server URLs, authentication tokens, or API keys. Check for encryption routines – ZiChatBot may encrypt its traffic using TLS. Run the malware in a sandbox with network simulation. Observe HTTP requests to Zulip endpoints (e.g., https://api.zulip.com/v1/messages). The bot likely uses a combination of channel subscriptions and message polling to receive commands. Document the API calls, parameters, and response handling.
Step 6: Correlate with Threat Intelligence
Submit your findings to attribution engines like Kaspersky Threat Attribution Engine (KTAE) or MITRE ATT&CK. Compare the code structures, tactics, and infrastructure with known OceanLotus campaigns. In this case, KTAE linked the packages to OceanLotus. Look for common indicators: use of privacy-focused emails, similar dropper patterns, targeting of both Windows and Linux, and reliance on legitimate services for C2. Also check for overlaps with previously reported IOCs (IPs, domains, file hashes). This step helps confirm the threat actor and informs defensive actions.
Step 7: Implement Detection and Mitigation
Based on your analysis, develop detection rules. For PyPI packages, create YARA rules that flag packages containing shared libraries with specific strings (e.g., Zulip-related APIs). Set up monitoring for unusual DLL/so files in Python installation directories. Deploy network detection for Zulip API endpoints that are not normally used by internal applications. Consider blocking installation of packages from suspicious authors or email domains. For users, educate developers to verify package authenticity before pip install – especially when the package imitates a popular library. Implement supply chain security tools like pip-audit or use private package repositories with vetting processes.
Tips for Success
- Always use an isolated environment when testing suspicious packages to avoid accidental infection.
- Keep your threat intelligence feeds up to date – OceanLotus is known for evolving its techniques, so new variants may not use PyPI but other package repositories like npm or NuGet.
- Leverage community reporting: if you discover malicious packages, report them to PyPI maintainers and share IOCs via platforms like VirusTotal or MISP. Prompt removal reduces exposure.
- Monitor for dependencies: In this campaign, the attacker used a benign-looking package that depended on the malicious one. Check your
requirements.txtfor hidden dependencies. - Practice defense in depth: Since ZiChatBot uses legitimate APIs (Zulip), traditional C2 detection may fail. Combine behavioral detection (unexpected outbound connections to chat services) with static analysis.
- Regularly audit your Python environment using tools like
pip listand compare against known malicious hashes. - Understand the attackers’ intent: OceanLotus typically targets Southeast Asian entities. If your organization fits that profile, be extra vigilant.