{"id":2929,"date":"2026-05-06T13:05:27","date_gmt":"2026-05-06T13:05:27","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/"},"modified":"2026-05-06T13:05:27","modified_gmt":"2026-05-06T13:05:27","slug":"oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/","title":{"rendered":"OceanLotus suspected of using PyPI to deliver ZiChatBot malware"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/04194912\/SL-OceanLotus-featured-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<h2 id=\"introduction\">Introduction<\/h2>\n<p>Through our daily threat hunting, we <a href=\"https:\/\/x.com\/SethKingHi\/status\/1949158614700040572\" target=\"_blank\" rel=\"noopener\">noticed<\/a> that, beginning in July 2025, a series of malicious <a href=\"https:\/\/pypi.org\/project\/wheel\/\" target=\"_blank\" rel=\"noopener\">wheel<\/a> packages were uploaded to PyPI (the Python Package Index). We shared this information with the public security community, and the malware was removed from the repository. We submitted the samples to <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/threat-analysis?icid=gl_sl_threat-analysis-lnk_sm-team_ac4d6b2bf27709dd\" target=\"_blank\" rel=\"noopener\">Kaspersky Threat Attribution Engine (KTAE)<\/a> for analysis. Based on the results, we believe the packages may be linked to malware discussed in a <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/threat-intelligence\" target=\"_blank\" rel=\"noopener\">Threat Intelligence<\/a> report on OceanLotus. <\/p>\n<p>While these wheel packages do implement the features described on their PyPI web pages, their true purpose is to covertly deliver malicious files. These files can be either .DLL or .SO (Linux shared library), indicating the packages\u2019 ability to target both Windows and Linux platforms. They function as droppers, delivering the final payload \u2013 a previously unknown malware family that we have named <code>ZiChatBot<\/code>. Unlike traditional malware, ZiChatBot does not communicate with a dedicated command and control (C2) server, but instead uses a series of REST APIs from the public team chat app Zulip as its C2 infrastructure.<\/p>\n<p>To conceal the malicious package containing ZiChatBot, the attacker created another benign-looking package that included the malicious package as a dependency. Based on these facts, we confirm that this campaign is a carefully planned and executed PyPI supply chain attack.<\/p>\n<h2 id=\"technical-details\">Technical details<\/h2>\n<h3 id=\"spreading\">Spreading<\/h3>\n<p>The attacker created three projects on PyPI and uploaded malicious wheel packages designed to imitate popular libraries, tricking users into downloading them. This is a clear example of a supply chain attack via PyPI. See below for detailed information about the fake libraries and their corresponding wheel packages.<\/p>\n<h4 id=\"malicious-wheel-packages\">Malicious wheel packages<\/h4>\n<p>The packages added by the attacker and listed on PyPI\u2019s download pages are:<\/p>\n<ul>\n<li><code>uuid32-utils<\/code> library for generating a 32-character random string as a UUID<\/li>\n<li><code>colorinal<\/code> library for implementing cross-platform color terminal text<\/li>\n<li><code>termncolor<\/code> library for ANSI color format for terminal output<\/li>\n<\/ul>\n<p>The key metadata for these packages are as follows:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Pip install command<\/strong><\/td>\n<td><strong>File name<\/strong><\/td>\n<td><strong>First upload date<\/strong><\/td>\n<td><strong>Author \/ Email<\/strong><\/td>\n<\/tr>\n<tr>\n<td>pip install uuid32-utils<\/td>\n<td>uuid32_utils-1.x.x-py3-none-[OS platform].whl<\/td>\n<td>2025-07-16<\/td>\n<td>laz**** \/ laz****@tutamail.com<\/td>\n<\/tr>\n<tr>\n<td>pip install colorinal<\/td>\n<td>colorinal-0.1.7-py3-none-[OS platform].whl<\/td>\n<td>2025-07-22<\/td>\n<td>sym**** \/ sym****@proton.me<\/td>\n<\/tr>\n<tr>\n<td>pip install termncolor<\/td>\n<td>termncolor-3.1.0-py3-none-any.whl<\/td>\n<td>2025-07-22<\/td>\n<td>sym**** \/ sym****@proton.me<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Based on the distribution information on the PyPI web page, we can see that it offers X86 and X64 versions for Windows, as well as an x86_64 version for Linux. The <code>colorinal<\/code> project, for example, provides the following download options:<\/p>\n<div id=\"attachment_119604\" style=\"width: 746px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29095724\/oceanlotus1.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" aria-describedby=\"caption-attachment-119604\" class=\"size-full wp-image-119604\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29095724\/oceanlotus1.png\" alt=\"Distribution information of the colorinal project\" width=\"736\" height=\"327\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29095724\/oceanlotus1.png 736w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29095724\/oceanlotus1-300x133.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29095724\/oceanlotus1-630x280.png 630w\" sizes=\"(max-width: 736px) 100vw, 736px\"><\/a><\/p>\n<p id=\"caption-attachment-119604\" class=\"wp-caption-text\">Distribution information of the colorinal project<\/p>\n<\/div>\n<h4 id=\"initial-infection\">Initial infection<\/h4>\n<p>The <code>uuid32-utils<\/code> and <code>colorinal<\/code> libraries employ similar infection chains and malicious payloads. As a result, this analysis will focus on the <code>colorinal<\/code> library as a representative example.<\/p>\n<p>A quick look at the code of the third library, <code>termncolor<\/code>, reveals no apparent malicious content. However, it imports the malicious <code>colorinal<\/code> library as a dependency. This method allows attackers to deeply conceal malware, making the <code>termncolor<\/code> library appear harmless when distributing it or luring targets.<\/p>\n<div id=\"attachment_119605\" style=\"width: 998px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100022\/oceanlotus2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119605\" class=\"size-full wp-image-119605\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100022\/oceanlotus2.png\" alt=\"The termncolor library imports the malicious colorinal library\" width=\"988\" height=\"303\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100022\/oceanlotus2.png 988w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100022\/oceanlotus2-300x92.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100022\/oceanlotus2-768x236.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100022\/oceanlotus2-740x227.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100022\/oceanlotus2-913x280.png 913w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100022\/oceanlotus2-800x245.png 800w\" sizes=\"auto, (max-width: 988px) 100vw, 988px\"><\/a><\/p>\n<p id=\"caption-attachment-119605\" class=\"wp-caption-text\">The termncolor library imports the malicious colorinal library<\/p>\n<\/div>\n<p>During the initial infection stage, the Python code is nearly identical across both Windows and Linux platforms. Here, we analyze the Windows version as an example.<\/p>\n<h4 id=\"windows-version\">Windows version<\/h4>\n<p>Once a Python user downloads and installs the <code>colorinal-0.1.7-py3-none-win_amd64.whl<\/code> wheel package file, or installs it using the <code>pip<\/code> tool, the ZiChatBot\u2019s dropper (a file named <code>terminate.dll<\/code>) will be extracted from the wheel package and placed on the victim\u2019s hard drive.<\/p>\n<p>After that, if the <code>colorinal<\/code> library is imported into the victim\u2019s project, the Python script file at [Python library installation path]colorinal-0.1.7-py3-none-win_amd64colorinal__init__.py will be executed first.<\/p>\n<div id=\"attachment_119606\" style=\"width: 837px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100308\/oceanlotus3.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119606\" class=\"size-full wp-image-119606\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100308\/oceanlotus3.png\" alt=\"The __init__.py script imports the malicious file unicode.py\" width=\"827\" height=\"144\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100308\/oceanlotus3.png 827w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100308\/oceanlotus3-300x52.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100308\/oceanlotus3-768x134.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100308\/oceanlotus3-740x129.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100308\/oceanlotus3-800x139.png 800w\" sizes=\"auto, (max-width: 827px) 100vw, 827px\"><\/a><\/p>\n<p id=\"caption-attachment-119606\" class=\"wp-caption-text\">The __init__.py script imports the malicious file unicode.py<\/p>\n<\/div>\n<p>This Python script imports and executes another script located at [python library install path]colorinal-0.1.7-py3-none-win_amd64colorinalunicode.py. The <code>is_color_supported()<\/code> function in <code>unicode.py<\/code> is called immediately.<\/p>\n<div id=\"attachment_119607\" style=\"width: 887px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100524\/oceanlotus4.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119607\" class=\"size-full wp-image-119607\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100524\/oceanlotus4.png\" alt=\"The code loads the dropper into the host Python process\" width=\"877\" height=\"631\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100524\/oceanlotus4.png 877w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100524\/oceanlotus4-300x216.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100524\/oceanlotus4-768x553.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100524\/oceanlotus4-486x350.png 486w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100524\/oceanlotus4-740x532.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100524\/oceanlotus4-389x280.png 389w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29100524\/oceanlotus4-800x576.png 800w\" sizes=\"auto, (max-width: 877px) 100vw, 877px\"><\/a><\/p>\n<p id=\"caption-attachment-119607\" class=\"wp-caption-text\">The code loads the dropper into the host Python process<\/p>\n<\/div>\n<p>The comment in the <code>is_color_supported()<\/code> function states that the highlighted code checks whether the user\u2019s terminal environment supports color. The code actually loads the <code>terminate.dll<\/code> file into the Python process and then invokes the DLL\u2019s exported function <code>envir<\/code>, passing the UTF-8-encoded string <code>xterminalunicod<\/code> as a parameter. The DLL acts as a dropper, delivering the final payload, <code>ZiChatBot<\/code>, and then self-deleting. At the end of the <code>is_color_supported()<\/code> function, the <code>unicode.py<\/code> script file is also removed. These steps eliminate all malicious files in the library and deploy <code>ZiChatBot<\/code>.<br \/>\nFor the Linux platform, the wheel package and the <code>unicode.py<\/code> Python script are nearly identical to the Windows version. The only difference is that the dropper file is named \u201cterminate.so\u201d.<\/p>\n<h3 id=\"dropper-for-zichatbot\">Dropper for ZiChatBot<\/h3>\n<p>From the previous analysis, we learned that the dropper is loaded into the host Python process by a Python script and then activated. The main logic of the dropper is implemented in the <code>envir<\/code> export function to achieve three objectives:<\/p>\n<ol>\n<li>Deploy <code>ZiChatBot<\/code>.<\/li>\n<li>Establish an auto-run mechanism.<\/li>\n<li>Execute shellcode to remove the dropper file (terminate.dll) and the malicious script file from the installed library folder.<\/li>\n<\/ol>\n<p>The dropper first decrypts sensitive strings using AES in CBC mode. The key is the string-type parameter \u201cxterminalunicode\u201d of the exported function. The decrypted strings are \u201clibcef.dll\u201d, \u201cvcpacket\u201d, \u201cpkt-update\u201d, and \u201cvcpktsvr.exe\u201d.<\/p>\n<p>Next, the malware uses the same algorithm to decrypt the embedded data related to <code>ZiChatBot<\/code>. It then decompresses the decrypted data with LZMA to retrieve the files <code>vcpktsvr.exe<\/code> and <code>libcef.dll<\/code> associated with <code>ZiChatBot<\/code>. The malware creates a folder named vcpacket in the system directory <code>%LOCALAPPDATA%<\/code>, and places these files into it.<\/p>\n<p>To establish persistence for ZiChatBot, the dropper creates the following auto-run entry in the registry:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]\r\n\"pkt-update\"=\"C:Users[User name]AppDataLocalvcpacketvcpktsvr.exe\"<\/pre>\n<p>Once preparations are complete, the malware uses the XOR algorithm to decrypt the embedded shellcode with the three-byte key <code>3a7<\/code>. It then searches the decrypted shellcode\u2019s memory for the string <code>Policy.dllcppage.dll<\/code> and replaces it with its own file name, <code>terminate.dll<\/code>, and redirects execution to the shellcode\u2019s memory space.<\/p>\n<p>The shellcode employs a djb2-like hash method to calculate the names of certain APIs and locate their addresses. Using these APIs, it finds the dropper file with the name <code>terminate.dll<\/code> that was previously passed by the DLL before unloading and deleting it.<\/p>\n<h4 id=\"linux-version\">Linux version<\/h4>\n<p>The Linux version of the dropper places <code>ZiChatBot<\/code> in the path <code>\/tmp\/obsHub\/obs-check-update<\/code> and then creates an auto-run job using <code>crontab<\/code>. Unlike the Windows version, the Linux version of <code>ZiChatBot<\/code> only consists of one ELF executable file.<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">system(\"chmod +x \/tmp\/obsHub\/obs-check-update\") \r\nsystem(\"echo \"5 * * * * \/tmp\/obsHub\/obs-check-update\" | crontab - \")<\/pre>\n<\/p>\n<h3 id=\"zichatbot\">ZiChatBot<\/h3>\n<p>The Windows version of ZiChatBot is a DLL file (<code>libcef.dll<\/code>) that is loaded by the legitimate executable <code>vcpktsvr.exe<\/code> (hash: 48be833b0b0ca1ad3cf99c66dc89c3f4). The DLL contains several export functions, with the malicious code implemented in the <code>cef_api_mash export<\/code>. Once the DLL is loaded, this function is invoked by the EXE file. ZiChatBot uses the REST APIs from Zulip, a public team chat application, as its command and control server.<\/p>\n<p>ZiChatBot is capable of executing shellcode received from the server and only supports this one control command. Once it runs, it initiates a series of sequential HTTP requests to the Zulip REST API.<\/p>\n<p>In each HTTP request, an API authentication token is included as an HTTP header for server-side authentication, as shown below.<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">\/\/ Auth token:\r\nTW9yaWFuLWJvdEBoZWxwZXIuenVsaXBjaGF0LmNvbTpVOFJFWGxJNktmOHFYQjlyUXpPUEJpSUE0YnJKNThxRw==\r\n\r\n\/\/ Decoded Auth token\r\nMorian-bot@helper.zulipchat.com:U8REXlI6Kf8qXB9rQzOPBiIA4brJ58qG<\/pre>\n<p>ZiChatBot utilizes two separate channel-topic pairs for its operations. One pair transmits current system information, and the other retrieves a message containing shellcode. Once the shellcode is received, a new thread is created to execute it. After executing the command, a <code>heart<\/code> emoji is sent in response to the original message to indicate the execution was successful.<\/p>\n<h2 id=\"infrastructure\">Infrastructure<\/h2>\n<p>We did not find any traditional infrastructure, such as compromised servers or commercial VPS services and their associated IPs and domains. Instead, the malicious wheel packages were uploaded to the Python Package Index (PyPI), a public, shared Python library. The malware, ZiChatBot, leverages Zulip\u2019s public team chat REST APIs as its command and control server.<\/p>\n<p>The \u201chelper\u201d organization that the attacker had registered on the Zulip service has now been officially deactivated by Zulip. However, infected devices may still attempt to connect to the service, so to help you locate and cure them, we recommend adding the full URL <code>helper.zulipchat.com<\/code> to your denylist.<\/p>\n<h2 id=\"victims\">Victims<\/h2>\n<p>The malware was uploaded in July 2025. Upon discovering these attacks, we quickly released an update for our product to detect the relevant files and shared the necessary information with the public security community. As a result, the malicious software was swiftly removed from PyPI, and the organization registered on the Zulip service was officially deactivated. To date, we have not observed any infections based on our telemetry or public reports.<\/p>\n<div id=\"attachment_119608\" style=\"width: 743px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102447\/oceanlotus5.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119608\" class=\"size-full wp-image-119608\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102447\/oceanlotus5.png\" width=\"733\" height=\"352\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102447\/oceanlotus5.png 733w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102447\/oceanlotus5-300x144.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102447\/oceanlotus5-729x350.png 729w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102447\/oceanlotus5-583x280.png 583w\" sizes=\"auto, (max-width: 733px) 100vw, 733px\"><\/a><\/p>\n<p id=\"caption-attachment-119608\" class=\"wp-caption-text\">Zulip has officially deactivated the \u201chelper\u201d organization<\/p>\n<\/div>\n<h2 id=\"attribution\">Attribution<\/h2>\n<p>Based on the results from our <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/threat-analysis?icid=gl_sl_threat-analysis-lnk_sm-team_ac4d6b2bf27709dd\" target=\"_blank\" rel=\"noopener\">KTAE<\/a> system, the dropper used by ZiChatBot shows a 64% similarity to another dropper we analyzed in a TI report, which was linked to OceanLotus. Reverse engineering shows that both droppers use nearly identical algorithms and logic for to decrypt and decompress their embedded payloads.<\/p>\n<div id=\"attachment_119609\" style=\"width: 956px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102537\/oceanlotus6.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119609\" class=\"size-full wp-image-119609\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102537\/oceanlotus6.png\" alt=\"Analysis results of dropper using KTAE system\" width=\"946\" height=\"100\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102537\/oceanlotus6.png 946w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102537\/oceanlotus6-300x32.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102537\/oceanlotus6-768x81.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102537\/oceanlotus6-740x78.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/29102537\/oceanlotus6-800x85.png 800w\" sizes=\"auto, (max-width: 946px) 100vw, 946px\"><\/a><\/p>\n<p id=\"caption-attachment-119609\" class=\"wp-caption-text\">Analysis results of dropper using KTAE system<\/p>\n<\/div>\n<h2 id=\"conclusions\">Conclusions<\/h2>\n<p>As an active APT organization, OceanLotus primarily targets victims in the Asia-Pacific region. However, our previous reports have highlighted a growing trend of the group expanding its activities into the Middle East. Moreover, the attacks described in this report \u2013 executed through PyPI \u2013 target Python users worldwide. This demonstrates OceanLotus\u2019s ongoing effort to broaden its attack scope.<\/p>\n<p>In the first half of 2025, a public <a href=\"https:\/\/gbhackers.com\/apt32-turns-github-into-a-weapon-against-security-teams\/\" target=\"_blank\" rel=\"noopener\">report<\/a> revealed that the group launched a phishing campaign using GitHub. The recent PyPI-based supply chain attack likely continues this strategy. Although phishing emails are still a common initial infection method for OceanLotus, the group is also actively exploring new ways to compromise victims through diverse supply chain attacks.<\/p>\n<h2 id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p>Additional information about this activity, including indicators of compromise, is available to customers of the <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/services?icid=gl_sl_ti-lnk_sm-team_63057f3138f7f09f#threat-intelligence\" target=\"_blank\" rel=\"noopener\">Kaspersky Intelligence Reporting Service<\/a>. If you are interested, please contact <a href=\"mailto:intelreports@kaspersky.com\" target=\"_blank\" rel=\"noopener\">intelreports@kaspersky.com<\/a>.<\/p>\n<p><strong>Malicious wheel packages<\/strong><br \/>\n<em>termncolor-3.1.0-py3-none-any.whl<\/em><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5152410aeef667ffaf42d40746af4d84\/?icid=gl_sl_opentip-lnk_sm-team_6f9eacebf3a76a7d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5152410aeef667ffaf42d40746af4d84<\/a><\/p>\n<p><em>uuid32_utils-1.x.x-py3-none-xxxx.whl<\/em><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/0a5a06fa2e74a57fd5ed8e85f04a483a\/?icid=gl_sm_opentip-lnk_sm-team_c5e6c670969bd8b6&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">0a5a06fa2e74a57fd5ed8e85f04a483a<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/e4a0ad38fd18a0e11199d1c52751908b\/?icid=gl_sm_opentip-lnk_sm-team_0d03e2abdd556ec5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">e4a0ad38fd18a0e11199d1c52751908b<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5598baa59c716590d8841c6312d8349e\/?icid=gl_sm_opentip-lnk_sm-team_2a5c9aa050603eb3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5598baa59c716590d8841c6312d8349e<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/968782b4feb4236858e3253f77ecf4b0\/?icid=gl_sl_opentip-lnk_sm-team_4cdfba221f45cfe1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">968782b4feb4236858e3253f77ecf4b0<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/b55b6e364be44f27e3fecdce5ad69eca\/?icid=gl_sm_opentip-lnk_sm-team_03d08796f0b7ca6c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">b55b6e364be44f27e3fecdce5ad69eca<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/02f4701559fc40067e69bb426776a54f\/?icid=gl_sm_opentip-lnk_sm-team_68cf95b0dcbe0a23&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">02f4701559fc40067e69bb426776a54f<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/e200f2f6a2120286f9056743bc94a49d\/?icid=gl_sm_opentip-lnk_sm-team_86d5010ec2cfc136&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">e200f2f6a2120286f9056743bc94a49d<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/22538214a3c917ff3b13a9e2035ca521\/?icid=gl_sm_opentip-lnk_sm-team_46ca5dc3ed6b55b0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">22538214a3c917ff3b13a9e2035ca521<\/a><\/p>\n<p><em>colorinal-0.1.7-py3-none-xxxx.whl<\/em><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ba2f1868f2af9e191ebf47a5fab5cbab\/?icid=gl_sm_opentip-lnk_sm-team_a7726b55bd896032&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ba2f1868f2af9e191ebf47a5fab5cbab<\/a><\/p>\n<p><strong>Dropper for ZiChatBot<\/strong><br \/>\n<em>Backward.dll<\/em><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/c33782c94c29dd268a42cbe03542bca5\/?icid=gl_sm_opentip-lnk_sm-team_491dd88421942002&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">c33782c94c29dd268a42cbe03542bca5<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/454b85dc32dc8023cd2be04e4501f16a\/?icid=gl_sm_opentip-lnk_sm-team_6651487297a88b6b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">454b85dc32dc8023cd2be04e4501f16a<\/a><\/p>\n<p><em>Backward.so<\/em><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/fce65c540d8186d9506e2f84c38a57c4\/?icid=gl_sm_opentip-lnk_sm-team_c5e29948eb948bfe&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">fce65c540d8186d9506e2f84c38a57c4<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/652f4da6c467838957de19eed40d39da\/?icid=gl_sm_opentip-lnk_sm-team_0798f52c79c3ec20&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">652f4da6c467838957de19eed40d39da<\/a><\/p>\n<p><em>terminate.dll<\/em><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/1995682d600e329b7833003a01609252\/?icid=gl_sm_opentip-lnk_sm-team_ad96e8ebda482cf7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">1995682d600e329b7833003a01609252<\/a><\/p>\n<p><em>terminate.so<\/em><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/38b75af6cbdb60127decd59140d10640\/?icid=gl_sm_opentip-lnk_sm-team_d11d1f3d282a2985&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">38b75af6cbdb60127decd59140d10640<\/a><\/p>\n<p><strong>ZiChatBot<\/strong><br \/>\n<em>libcef.dll<\/em><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/a26019b68ef060e593b8651262cbd0f6\/?icid=gl_sm_opentip-lnk_sm-team_942b5ad3e8ac6358&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">a26019b68ef060e593b8651262cbd0f6<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Through our daily threat hunting, we noticed that, beginning in July 2025, a series of malicious wheel packages were uploaded to PyPI (the Python Package Index). We shared this information with the public security community, and the malware was removed from the repository. We submitted the samples to Kaspersky Threat Attribution Engine (KTAE) for [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[251,256,247,90,248,99,232,233,1111,681,561,249,1112],"tags":[91],"class_list":["post-2929","post","type-post","status-publish","format-standard","hentry","category-apt","category-apt-targeted-attacks","category-apt-reports","category-cybersecurity","category-great-research","category-malware","category-malware-descriptions","category-malware-technologies","category-oceanlotus","category-python","category-supply-chain-attack","category-targeted-attacks","category-zichatbot","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>OceanLotus suspected of using PyPI to deliver ZiChatBot malware - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OceanLotus suspected of using PyPI to deliver ZiChatBot malware - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Introduction Through our daily threat hunting, we noticed that, beginning in July 2025, a series of malicious wheel packages were uploaded to PyPI (the Python Package Index). We shared this information with the public security community, and the malware was removed from the repository. We submitted the samples to Kaspersky Threat Attribution Engine (KTAE) for [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-06T13:05:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/04194912\/SL-OceanLotus-featured-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"OceanLotus suspected of using PyPI to deliver ZiChatBot malware\",\"datePublished\":\"2026-05-06T13:05:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/\"},\"wordCount\":1760,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/04194912\/SL-OceanLotus-featured-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"APT\",\"APT (Targeted attacks)\",\"APT reports\",\"Cybersecurity\",\"GReAT research\",\"Malware\",\"Malware descriptions\",\"Malware Technologies\",\"OceanLotus\",\"Python\",\"Supply-chain attack\",\"Targeted attacks\",\"ZiChatBot\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/\",\"name\":\"OceanLotus suspected of using PyPI to deliver ZiChatBot malware - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/04194912\/SL-OceanLotus-featured-990x400.jpg\",\"datePublished\":\"2026-05-06T13:05:27+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/04194912\/SL-OceanLotus-featured-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/04194912\/SL-OceanLotus-featured-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OceanLotus suspected of using PyPI to deliver ZiChatBot malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OceanLotus suspected of using PyPI to deliver ZiChatBot malware - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/","og_locale":"en_US","og_type":"article","og_title":"OceanLotus suspected of using PyPI to deliver ZiChatBot malware - Imperative Business Ventures Limited","og_description":"Introduction Through our daily threat hunting, we noticed that, beginning in July 2025, a series of malicious wheel packages were uploaded to PyPI (the Python Package Index). We shared this information with the public security community, and the malware was removed from the repository. We submitted the samples to Kaspersky Threat Attribution Engine (KTAE) for [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-05-06T13:05:27+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/04194912\/SL-OceanLotus-featured-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"OceanLotus suspected of using PyPI to deliver ZiChatBot malware","datePublished":"2026-05-06T13:05:27+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/"},"wordCount":1760,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/04194912\/SL-OceanLotus-featured-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["APT","APT (Targeted attacks)","APT reports","Cybersecurity","GReAT research","Malware","Malware descriptions","Malware Technologies","OceanLotus","Python","Supply-chain attack","Targeted attacks","ZiChatBot"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/","name":"OceanLotus suspected of using PyPI to deliver ZiChatBot malware - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/04194912\/SL-OceanLotus-featured-990x400.jpg","datePublished":"2026-05-06T13:05:27+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/04194912\/SL-OceanLotus-featured-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/04194912\/SL-OceanLotus-featured-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/06\/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"OceanLotus suspected of using PyPI to deliver ZiChatBot malware"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2929","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=2929"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2929\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=2929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=2929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=2929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}