EXECUTIVE SUMMARY
A cyberespionage campaign, dubbed Operation HumanitarianBait, has been uncovered, using aid-themed lures to deploy a fileless Python infostealer. The attack is delivered via phishing emails containing a malicious LNK file disguised within a RAR archive, exploiting contextual trust through a Russian humanitarian aid request form. The campaign prioritizes continuous intelligence collection, maintaining a low operational footprint and minimal user visibility.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A cyberespionage campaign, dubbed Operation HumanitarianBait, has been uncovered, using aid-themed lures to deploy a fileless Python infostealer. The attack is delivered via phishing emails containing a malicious LNK file disguised within a RAR archive, exploiting contextual trust through a Russian humanitarian aid request form. The campaign prioritizes continuous intelligence collection, maintaining a low operational footprint and minimal user visibility.[emaillocker id="1283"]
The threat actor appears to be targeting Russian-speaking individuals or entities, with multiple lure types themed around humanitarian aid observed. The campaign is active and ongoing, with the threat actor actively refining delivery techniques and adapting to evade detection. This campaign represents a well-constructed, technically capable cyberespionage operation, using a convincing lure and a multi-stage infection chain to silently deploy a full-featured surveillance platform on victim machines.
The malware infects systems through a phishing email containing a malicious LNK file, which is executed by PowerShell, using a deliberate technique to evade automated sandbox analysis. The LNK file contains self-obfuscated content that is extracted and executed, creating a fully self-contained Python environment inside the user's %appdata% folder, requiring no administrator privileges. The main payload is downloaded from a dedicated GitHub account, stored in GitHub Releases, and hosted alongside legitimate files, making the entire download chain appear as normal GitHub traffic. Persistence is established through a Windows Scheduled Task that survives system reboots, ensuring the implant remains continuously active in the background. The payload is protected with PyArmor v9.2 Pro, a commercial obfuscation tool that converts Python bytecode into a format that resists static analysis and decompilation.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Credential Access | T1539 | Steal Web Session Cookie | — |
| Lateral Movement | T1219 | Remote Access Software | — |
| Collection | T1113 | Screen Capture | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
reports contain further technical details:
https://cyble.com/blog/operation-humanitarianbait-infostealer-campaign/