What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Supply-Chain

0 sources verified·4 min read

By Lyrie Threat Intelligence·5/6/2026

The Zulip Trap: OceanLotus APT Hides ZiChatBot C2 in Public Chat APIs

TL;DR

OceanLotus APT deployed three malicious Python packages (uuid32-utils, colorinal, termncolor) on PyPI since July 2025, infecting developers with ZiChatBot—a novel malware that uses Zulip team-chat APIs instead of traditional C2 servers. Both Windows and Linux targets confirmed; infrastructure remains active.

What Happened

Kaspersky researchers discovered a sophisticated supply-chain attack targeting Python developers through PyPI. Beginning in July 2025, threat actors uploaded three seemingly legitimate packages disguised as utility libraries:

uuid32-utils — UUID generation library
colorinal — Color terminal output (primary dropper)
termncolor — ANSI terminal formatting (dependency-based delivery)

The packages implement their advertised functionality to evade basic code review, but contain hidden DLL/SO droppers that deliver the previously unknown malware family ZiChatBot. The termncolor package specifically uses colorinal as a dependency, allowing attackers to obscure the malicious package within a benign wrapper—a technique known as dependency confusion via nesting.

Once installed and imported, the malicious Python module execute code that:

1. Loads an embedded DLL (Windows) or .SO (Linux) dropper named terminate.dll/terminate.so

2. Executes the dropper via ctypes, passing the string "xterminalunicode" as the decryption key

3. Deploys ZiChatBot payload (vcpktsvr.exe + libcef.dll on Windows)

4. Establishes persistence via Windows Registry auto-run entry

5. Self-destructs all traces from the Python library directory

The packages gained traction despite being uploaded under suspicious email addresses (tutamail.com, proton.me) and were downloaded by developers before removal from PyPI.

Technical Details

Delivery Chain

Initial Vector: pip install colorinal or as transitive dependency from termncolor
Dropper Execution: Python __init__.py imports unicode.py → calls is_color_supported() → loads terminate.dll via ctypes
AES Decryption: Dropper uses AES-CBC with key "xterminalunicode" to decrypt payload strings
LZMA Decompression: Encrypted payload decompressed to extract final ZiChatBot binaries
Persistence: Registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run → vcpktsvr.exe

Novel C2 Infrastructure: Zulip APIs

Unlike traditional APTs that deploy dedicated C2 servers (and risk detection), ZiChatBot communicates exclusively through REST APIs from Zulip, a public open-source team-chat platform. This technique:

Blends with legitimate cloud traffic
Avoids DNS-based detection
Provides built-in message history and multi-channel capabilities
Difficult to retroactively audit (Zulip logs are transient)

Multi-Platform Deployment

Kaspersky confirmed wheel packages for:

Windows: x86, x64
Linux: x86_64

The cross-platform approach expands the attack surface to CI/CD pipelines, cloud development environments, and containerized workloads where Python is endemic.

Lyrie Assessment

Why CISOs Reading Lyrie Should Care:

1. Supply-Chain via Transitive Dependencies — This attack exploits npm/pip/cargo's fundamental trust model: developers rarely inspect transitive dependency source code. A single compromised utility library infects downstream projects at scale. If colorinal was used by a CI/CD framework or Docker base layer, the blast radius is measured in millions of downstream developers.

2. Undetectable Persistence via Chat APIs — ZiChatBot's use of Zulip REST APIs is a paradigm shift. Traditional C2 detection relies on identifying new domains, IPs, or suspicious DNS patterns. Public API endpoints (Zulip, Discord, Slack) are routinely whitelisted by security teams and appear as legitimate traffic in network logs. This attack proves that API-based C2 is now table-stakes for advanced APTs.

3. Self-Destruction Removes Forensic Evidence — The dropper explicitly removes terminate.dll and unicode.py after execution. A compromised system running ZiChatBot may show no malicious files on disk, complicating incident response and threat hunting.

4. Lyrie's Autonomous Defense Angle: This attack demonstrates why autonomous endpoint agents must:

- Monitor Python library imports in real-time (not just file writes)

- Alert on suspicious ctypes/CFFI usage (DLL loading from package directories)

- Track process spawning from Python interpreters

- Detect registry modifications from Python.exe (rare and suspicious)

- Monitor unusual outbound API calls to chat platforms from developer machines

5. Attribution to OceanLotus (APT-C-16) — A Vietnamese APT with a decade-long history targeting ASEAN governments, private sector tech, and defense contractors. This shift toward developer-targeted supply-chain attacks suggests OceanLotus is investing in persistent, wide-scale intrusions rather than targeted spear-phishing campaigns. Worse, Python developers skew younger, less security-aware than traditional targets.

Recommended Actions

Immediate (24–48 hours):

Audit pip freeze output across all CI/CD pipelines for uuid32-utils, colorinal, termncolor
If found, isolate affected build agents; assume git credentials and AWS keys are compromised
Review git logs for suspicious commits pushed from affected machines
Correlate with VT/Shodan for ZiChatBot (vcpktsvr.exe, libcef.dll) on corporate endpoints

Short-term (1 week):

Implement software bill-of-materials (SBOM) scanning with minimum 2-level transitive dependency depth
Add signed hash verification to pip/npm/cargo (beyond standard TLS)
Restrict PyPI downloads to pre-approved package versions (pip-audit + vendoring)
Monitor for registry entries in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run from Python.exe context

Long-term:

Enforce code signing for all transitive dependencies (requires PyPI infrastructure change, but push your vendor)
Implement Lyrie autonomous endpoint detection for cross-package C2 callbacks
Assume Python library ecosystem is compromised; shift to containerized, immutable dependency layers

Sources

1. https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/ — Kaspersky Labs (primary research)

2. https://securelist.com/tr/daemon-tools-backdoor/119654/ — Kaspersky Labs (dropper technical analysis)

3. https://www.kaspersky.com/blog/daemon-tools-supply-chain-attack/55691/ — Kaspersky official advisory

4. https://malwaretips.com/threads/kaspersky-great-research-oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware.141248/ — Public disclosure timeline

Lyrie.ai Cyber Research Division