Malicious Typosquatted Python Package Triggers Forced Shutdowns on Windows Systems
A newly discovered malicious Python package, “psslib,” has been identified on the Python Package Index (PyPI), posing as the widely used “passlib” library in a targeted typosquatting campaign. This fake package exploits the trust developers place in security libraries by falsely advertising itself as a tool for password protection while delivering highly disruptive behavior. Published by an actor using the alias “umaraq,” psslib is designed to immediately shut down Windows systems when incorrect passwords are entered—an attack that prioritizes destruction over stealth. Security researchers at Socket uncovered the threat through automated anomaly detection, flagging the use of unexpected shutdown commands within a package that claims to enhance security. Despite its malicious functionality, psslib remained accessible on PyPI at the time of discovery, continuing to endanger Windows-based development environments where Python often runs with elevated privileges. The package executes its attack using simple yet harmful Python functions that exploit the os module to issue system shutdowns. Its core function prompts users for a password using the easygui library. If the input does not match a predefined value, it executes a shutdown command, forcibly powering off the system within one second. Additional functions, such as “src()” and “error(),” are also embedded, allowing shutdowns to occur with or without user interaction, further increasing the package’s potential to disrupt. This behavior can cause immediate workflow interruption, data loss, and downtime, which is especially harmful in collaborative or automated environments. Unlike typical supply chain threats that quietly exfiltrate data or establish persistence, psslib is openly destructive, highlighting a dangerous evolution in package-based attacks where the objective is sabotage rather than espionage. Security teams and developers are advised to verify package names carefully and closely monitor dependency installations, as even minor typos can now result in significant operational damage.
Threat Actors Exploit Windows Task Scheduler to Maintain Stealthy Persistence Using Havoc Framework
A recent cyberattack targeting critical national infrastructure in the Middle East has uncovered a sophisticated persistence technique that leverages the Windows Task Scheduler to deploy a modified version of the Havoc post-exploitation framework. Researchers at Fortinet identified that the attackers used a custom remote injector disguised as conhost.exe, a legitimate Windows process, to blend malicious activity with normal system operations. By embedding multiple scheduled tasks and launching the disguised injector with parameters referencing conhost.dll, the attackers ensured that the Havoc payload would be persistently executed even after system reboots or attempted remediation. The use of Task Scheduler provided both reliability and stealth, enabling scheduled re-execution of the malware while bypassing traditional startup detection mechanisms. The attack demonstrates a profound understanding of Windows internals and a deliberate effort to maintain long-term access to compromised environments within critical infrastructure sectors. The execution chain begins with a scheduled task that runs a malicious file from C:\Windows\System32\drivers\conhost[.]exe using crafted parameters. The command includes a “-f” flag to reference an encrypted payload in conhost.dll and a “–path” argument pointing to cmd.exe, the target for process injection. Upon execution, the injector spawns a new instance of cmd.exe using the CreateProcessA() API, then decrypts the Havoc payload using shellcode embedded within the DLL. The decryption key and initialization vector are pulled from the first 48 bytes of the DLL itself. The decrypted payload is then injected into the cmd[.]exe process using low-level Windows functions like ZwAllocateVirtualMemory() and ZwWriteVirtualMemory(). Finally, the malware uses ZwCreateThreadEx() to execute the backdoor through a remote thread, allowing attackers to maintain covert control of the system. This campaign demonstrates a shift toward more advanced persistence strategies in targeted infrastructure attacks, emphasizing the need for enhanced behavioral monitoring, integrity checks, and scrutiny of scheduled tasks in high-risk environments.
Iranian APT Group Educated Manticore Targets Israeli Experts with Sophisticated Phishing Campaigns
The Iranian state-aligned threat group Educated Manticore—also known as APT35, APT42, Charming Kitten, or Mint Sandstorm—has intensified its cyber-espionage activities by targeting Israeli cybersecurity professionals, computer science academics, and journalists. Closely linked to the Islamic Revolutionary Guard Corps’ Intelligence Organization (IRGC-IO), the group has recently been observed employing advanced spear-phishing tactics in campaigns that began in mid-June 2025. These operations involve impersonating fictitious cybersecurity employees through emails and WhatsApp messages crafted with AI-assisted writing to appear authentic. The attackers direct victims to phishing pages that mimic Google, Outlook, or Yahoo authentication flows, using highly deceptive, React-based Single-Page Applications (SPAs). These fake login portals feature dynamic routing and pre-filled email fields to increase trust and lower suspicion. Subtle flaws—such as mismatched names or inconsistent metadata—remain the few clues to their fraudulent nature. The phishing infrastructure developed by Educated Manticore is both advanced and agile. It includes support for two-factor authentication (2FA) relay attacks, capturing not only passwords but also SMS codes and even keystrokes via a WebSocket-based keylogger. Since January 2025, researchers have identified over 130 domains and subdomains, mostly registered through NameCheap, as part of this ongoing campaign, with many resolving to infrastructure associated with the GreenCharlie sub-cluster. To further legitimize their phishing attempts, the attackers host multi-stage credential harvesting pages on Google Sites, exploiting the trusted appearance of Google's domain. Victims are typically redirected to these malicious sites via fake Google Meet invitations embedded in phishing messages. Check Point Research emphasizes that this operation is part of a broader Iranian cyber strategy that blends deception, rapid infrastructure rotation, and strategic target selection. As tensions between Iran and Israel continue, Educated Manticore’s focus on high-trust environments and credential theft underscores its mission to gather intelligence aligned with regime objectives, posing an ongoing and serious threat to regional cybersecurity.
