Analyzing “Operation HumanitarianBait” – A Sophisticated Python-Based Espionage Campaign

In the evolving landscape of cyberespionage, threat actors are increasingly moving away from traditional compiled binaries in favor of highly flexible, interpreted languages. A recent investigation has surfaced a stealthy, Python-based infostealer campaign—internally referred to as “Operation HumanitarianBait”—that leverages trusted developer infrastructure to maintain a low-profile presence on victim systems.

This operation appears surgically targeted toward Russian-speaking demographics, utilizing highly specific humanitarian-themed social engineering lures to bypass human intuition and technical scrutiny alike.

CRIL has uncovered this targeted cyberespionage campaign, which expertly blends social engineering with a “PE-less” (Portable Executable-less) architecture to evade traditional endpoint detection and response (EDR) systems.

Infection chain (Source : CRIL).
The multi-stage infection chain (Source: CRIL).

The Initial Access Vector: Social Engineering & LNK Obfuscation

The attack lifecycle begins with a phishing email containing a compressed RAR archive. Inside this archive lies a malicious Windows shortcut (LNK) file, masquerading as a formal Russian humanitarian aid request. Unlike standard LNK files, this dropper is unusually large; it contains embedded, self-obfuscated Unicode content.

Upon execution, a PowerShell command is triggered to decode this Unicode payload directly in memory or from the disk. This technique is specifically designed to defeat automated sandbox analysis by ensuring the “malicious” logic only exists in a readable state during the actual execution phase, leaving nothing for static scanners to flag in the initial file.

To maintain the illusion of legitimacy, the malware immediately launches a genuine-looking Russian-language PDF document. While the user interacts with the “aid application,” the infection chain continues silently in the background. Interestingly, researchers noted a second variant using a Russian survey link, suggesting the attackers are A/B testing different psychological triggers to maximize infection rates.

Downloading the Lure PDF file (Source : CRIL).
The deployment of the decoy lure PDF (Source: CRIL).

Infrastructure Abuse: Leveraging GitHub Releases

One of the most tactical aspects of this campaign is its use of GitHub Releases for payload delivery. Instead of pulling code directly from a repository—which would leave a clear, searchable commit history—the actor hosts their malicious payloads as “releases.”

This approach serves two purposes:

  • Scrutiny Avoidance: Static scanners often treat GitHub-hosted assets with a higher baseline of trust.
  • Seamless Updates: The attacker can frequently republish a data.zip release with new hashes, allowing them to iterate on the infostealer without altering the visible repository structure.

The GitHub account used even hosts “clean” artifacts, such as the official embedded Python runtime and the pip installer, effectively bootstrapping a malicious environment using legitimate, signed tools.

The “PE-less” Architecture & Persistence

The malware establishes its operational base within the %APPDATA%\WindowsHelper directory. By deploying a self-contained Python environment, the attacker avoids the need for administrative privileges, allowing the malware to run in user-space and blend in with standard application data.

Stealth Operations: Obfuscation and Persistence

To ensure the implant remains invisible to the user, the campaign employs VBScript launchers (e.g., run.vbs) that invoke pythonw.exe. Because pythonw.exe is designed to run scripts without an attached console window, no command prompt appears during execution.

GitHub page (Source : CRIL).
The actor’s GitHub release page used for hosting (Source: CRIL).

For long-term access, the malware registers a Windows Scheduled Task named “WindowsHelper.” This ensures that even after a system reboot, the Python-based agent is re-initialized at regular intervals.

The core logic, module.pyw, is highly resilient to reverse engineering. It is protected by PyArmor v9.x Pro, a commercial-grade obfuscation framework. PyArmor transforms Python bytecode into a format that is extremely difficult to decompile, forcing analysts to contend with heavily obfuscated logic that resists standard static inspection.

Surveillance and Exfiltration Capabilities

Analysis reveals that this is not a simple credential stealer, but a comprehensive surveillance suite. Its capabilities include:

  • Credential Harvesting: The implant targets Chromium-based browsers and Firefox. It extracts AES-GCM master keys from Local State files, supporting both legacy DPAPI and modern Chrome encryption formats to decrypt saved passwords and session cookies.
  • Real-time Monitoring: It functions as a keylogger, monitors clipboard contents, and captures periodic desktop screenshots.
  • Data Discovery: The malware recursively scans user directories for sensitive documents and cryptocurrency wallets, maintaining an inventory_state.db (SQLite) to track exfiltrated files and prevent redundant uploads.
  • Account Takeover: It specifically targets tdata folders to steal Telegram session data, allowing for session hijacking without needing the user’s password.
  • Remote Access: The implant can silently install and configure legitimate remote desktop tools like RustDesk or AnyDesk, providing the attacker with a persistent, interactive backdoor.
Persistence through Windows Task Schedular (Source : CRIL).
Persistence mechanism via Windows Task Scheduler (Source: CRIL).

All stolen data is funneled to a single VPS-hosted Command-and-Control (C2) server. The backend utilizes an nginx-fronted Flask application, complete with a custom dashboard designed for the attacker to manage multiple victim sessions efficiently.

Defensive Recommendations

While definitive attribution is ongoing, the combination of Russian-language lures, high-end obfuscation (PyArmor), and a sophisticated C2 stack strongly suggests a technically competent threat actor engaged in targeted espionage.

Security teams should prioritize the following:

  • Monitor for suspicious LNK files originating from email attachments.
  • Audit Scheduled Tasks for unusual entries like “WindowsHelper.”
  • Flag unexpected execution of python.exe or pythonw.exe from the %APPDATA% directory.
  • Implement egress filtering to detect unusual traffic to newly created VPS or GitHub-related endpoints.

Indicators of Compromise (IOCs)

Indicator Indicator Type Description
8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79 SHA-256 Initial LNK dropper
9be61c95056fd6b63565cf51a196f2615f5360c0a42e616b2a618473e9d60a21 SHA-256 Dementyeva_Anna_Vasilyevna_zayavka_gumanitarnayapomosch.rar
hxxp://159.198.41.140/static/builder/lnk_uploads/invo[.]pdf URL Lure PDF download
hxxp://159.198.41.140/test/index.php?r=survey/index&sid=936926&newtest=Y&lang=ru%22 URL Survey URL
hxxps://github.com/leravalera2/dtfls/releases/download/dtfls/data.zip URL PyArmour packed malicious scripts
a5b782901829861a6f458db404e8ec1a99c65a48393525e681742bb2a5db454d SHA-256 module.pyw – packed Python stealer/RAT

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Related Articles

Back to top button