-= Per source details. Do not edit below this line.=-
Malicious copy of a standard library module that during class initialization downloads and executes remote code and after that attempts to cover its tracks by overwriting itself with non-malicious code. The remote code aims to collect and exfiltrate sensitive Telegram session files.
This campaign shares infrastructure and basic methods with previous 2025-11-uzip campaign.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-12-smtblib
Reasons (based on the campaign):
Downloads and executes a remote malicious script.
infostealer
target:telegram
exfiltration-credentials
action-hidden-in-lib-usage
covering-tracks
clones-real-package
typosquatting
{
"malicious-packages-origins": [
{
"versions": [
"0.1.6",
"0.1.5"
],
"sha256": "2c1075f7c4373ccaac9936bfd75a22a27f0c9ba06a5402a68a45fe8121f58783",
"modified_time": "2025-12-22T17:15:11.396277Z",
"source": "kam193",
"id": "pypi/2025-12-smtblib/smtrlib",
"import_time": "2025-12-22T18:09:53.100084416Z"
},
{
"versions": [
"0.1.6",
"0.1.5"
],
"sha256": "a2f22b191147cb45609f235f11ad1e22cbddd3ea8fcbc48eae1b924c03c8581a",
"modified_time": "2025-12-22T17:15:11.396277Z",
"source": "kam193",
"id": "pypi/2025-12-smtblib/smtrlib",
"import_time": "2025-12-29T11:07:13.548559626Z"
},
{
"versions": [
"0.1.5",
"0.1.6"
],
"sha256": "9d85a36c2c00ecd57e7e665998fe1ecb407321c3c31d98e236f7cf1d8d382e81",
"modified_time": "2025-12-22T17:15:11.396277Z",
"source": "kam193",
"id": "pypi/2025-12-smtblib/smtrlib",
"import_time": "2025-12-30T22:39:04.178817796Z"
},
{
"versions": [
"0.1.5",
"0.1.6"
],
"sha256": "10033b8781afb1d5ce5c8e963a881098ccc3c451b91eeca2923530156685996e",
"modified_time": "2025-12-22T17:15:11.396277Z",
"source": "kam193",
"id": "pypi/2025-12-smtblib/smtrlib",
"import_time": "2026-02-26T09:49:02.337211857Z"
}
],
"iocs": {
"ips": [
"87.120.107.132"
],
"urls": [
"http://87.120.107.132:3301/reactor",
"http://87.120.107.132:1488/drill",
"http://87.120.107.132:1488/drip"
]
}
}