Operation HumanitarianBait Uses Fake Aid Documents to Deploy Python Spyware
Operation HumanitarianBait deploys Python spyware via fake aid documents targeting Russian speakers.
Summary
Operation HumanitarianBait is an active campaign using phishing emails with malicious LNK files disguised as Russian humanitarian aid documents to deliver Python spyware. The malware employs fileless techniques, GitHub-hosted payloads, and PyArmor obfuscation to steal browser credentials, cryptocurrency keys, and enable remote desktop access. The campaign targets Russian-speaking victims and government entities with evolving capabilities and persistent Windows Scheduled Task mechanisms.
Full text
Security Malware Scams and FraudOperation HumanitarianBait Uses Fake Aid Documents to Deploy Python Spyware Operation HumanitarianBait uses fake aid documents, GitHub-hosted payloads, and Python spyware to target Russian-speaking victims. byDeeba AhmedMay 12, 20263 minute read A new Python spyware campaign dubbed Operation HumanitarianBait is currently targeting Russian speakers by weaponizing the very documents meant to help them. This discovery, made by Cyble Research and Intelligence Labs (CRIL), shows that cybercriminals are making clever use of trusted web services to hide a powerful surveillance tool and using the guise of Russian humanitarian aid efforts to infect systems with it. Infection Chain and Delivery Methods According to researchers, the campaign is currently active as of May 2026. The attack starts with sending phishing emails containing a RAR archive, inside which is a malicious LNK file (SHA-256: 8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79). This isn’t a simple shortcut because it contains hidden code that PowerShell extracts and runs in memory. With this anti-sandbox technique, the hackers ensure the malware stays inert when being tested by automated security scanners. “This is a deliberate anti-sandbox technique, as the malware will not execute if the original file is absent from disk, making it appear clean to automated scanning tools,” researchers explained in the blog post. To prevent the victim from becoming suspicious, the malware opens a PDF decoy titled “O predostavlenii gumanitarnoy pomoshchi” (meaning- Regarding the provision of humanitarian aid), and while the victim is busy checking this aid form, fetched from the Command and Control (C2) server at 159.198.41.140, the real damage happens in the background. Phishing lure (Source: Cyble) – (Image translated via AI by Hackread.com) Technical Capabilities The attack uses a fileless (PE-less) Python architecture. To stay hidden, the hackers host their payload on GitHub Releases. This allows the malicious traffic to blend in with legitimate software updates. The malware creates a self-contained environment in the %appdata%\WindowsHelper folder and uses PyArmor v9.2 Pro to obfuscate the code, making it difficult for security software to read. Cyble’s research reveals that the main payload, module.pyw, operates as a full surveillance platform with a wide range of capabilities. Module.pyw starts its malicious activities by stealing passwords and session cookies from Chromium-based browsers, including Chrome, Edge, Brave, Opera, and Yandex, and Firefox, using AES-GCM decryption. Then it targets Telegram session data and scans user directories for cryptocurrency private keys. For active monitoring, the implant uses the keyboard library to log keystrokes and the mss library to capture continuous screenshots. It even quietly installs RustDesk or AnyDesk to provide the hackers with interactive remote desktop access. Persistence and Attribution Attackers ensure long-term access by registering a Windows Scheduled Task named WindowsHelper. This executes VBScript launchers (run.vbs and launch_module.vbs) to restart the malware whenever the system reboots. Their C2 infrastructure is hosted by Namecheap, and a Flask backend is used to manage the stolen data. Although Cyble hasn’t officially named the specific group responsible, they believe that the involvement of Russian-language lures and humanitarian themes suggests the targets are Russian-speakers or government entities. And, since the attackers are frequently updating the data.zip files on GitHub, researchers conclude that this is an evolving threat. Active and Updated Release Page on GitHub (Source: Cyble) The Operation HumanitarianBait campaign shows how recent cyberattacks have become harder to detect by combining social engineering, trusted platforms, and stealth-focused malware design. By disguising malicious files as humanitarian aid documents and hiding payloads inside legitimate services like GitHub Releases, the attackers created an operation capable of long-term surveillance and credential theft while avoiding many traditional security controls. Its ability to steal browser data, monitor user activity, capture cryptocurrency credentials, and establish remote access makes it a serious threat, especially for Russian-speaking targets and government-related entities. The campaign also shows a trend in cybercrime, where attackers increasingly rely on fileless techniques, obfuscation, and legitimate infrastructure to stay active and evolve their operations. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts backdoorCyb;eCybersecurityHumanitarianBaitMalwarePythonRussiaScamSpyware Leave a Reply Cancel reply View Comments (0) Related Posts Security Leaks Privacy Check your VPN DNS test tool legitimacy: Is it “legit” or deceptive Does your VPN leak DNS data? Does the DNS testing tool you're using shows actual or sponsored results for affiliate marketing? byZehra Ali Read More Security How Cybercriminals Exploit Public Info for Attacks: Understanding Risks and Prevention Cybercriminals are skilled at using public information to their advantage. Knowing how they gather this data can help… byWaqas Cyber Crime Security Unsecured Security Cams Giving Away Images of Sleeping Babies, Cafes and Banks It is quite annoying to view images that aren’t supposed to be shared on the Internet such as… byPushpa Mishra Cyber Crime Malware Security Teen Charged for Selling Malware Used in DDoS Attacks An 18-year-old teenager named Jack Chappell was charged by the West Midlands for selling malware to attackers over… byJahanzaib Hassan
Indicators of Compromise
- hash_sha256 — 8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79
- ip — 159.198.41.140
- malware — Operation HumanitarianBait
- malware — module.pyw