Analyzing “Operation HumanitarianBait” – A Sophisticated Python-Based Espionage Campaign
In the evolving landscape of cyberespionage, threat actors are increasingly moving away from traditional compiled binaries in favor of highly flexible, interpreted languages. A recent investigation has surfaced a stealthy, Python-based infostealer campaign—internally referred to as “Operation HumanitarianBait”—that leverages trusted developer infrastructure to maintain a low-profile presence on victim systems.
This operation appears surgically targeted toward Russian-speaking demographics, utilizing highly specific humanitarian-themed social engineering lures to bypass human intuition and technical scrutiny alike.
CRIL has uncovered this targeted cyberespionage campaign, which expertly blends social engineering with a “PE-less” (Portable Executable-less) architecture to evade traditional endpoint detection and response (EDR) systems.

The Initial Access Vector: Social Engineering & LNK Obfuscation
The attack lifecycle begins with a phishing email containing a compressed RAR archive. Inside this archive lies a malicious Windows shortcut (LNK) file, masquerading as a formal Russian humanitarian aid request. Unlike standard LNK files, this dropper is unusually large; it contains embedded, self-obfuscated Unicode content.
Upon execution, a PowerShell command is triggered to decode this Unicode payload directly in memory or from the disk. This technique is specifically designed to defeat automated sandbox analysis by ensuring the “malicious” logic only exists in a readable state during the actual execution phase, leaving nothing for static scanners to flag in the initial file.
To maintain the illusion of legitimacy, the malware immediately launches a genuine-looking Russian-language PDF document. While the user interacts with the “aid application,” the infection chain continues silently in the background. Interestingly, researchers noted a second variant using a Russian survey link, suggesting the attackers are A/B testing different psychological triggers to maximize infection rates.

Infrastructure Abuse: Leveraging GitHub Releases
One of the most tactical aspects of this campaign is its use of GitHub Releases for payload delivery. Instead of pulling code directly from a repository—which would leave a clear, searchable commit history—the actor hosts their malicious payloads as “releases.”
This approach serves two purposes:
- Scrutiny Avoidance: Static scanners often treat GitHub-hosted assets with a higher baseline of trust.
- Seamless Updates: The attacker can frequently republish a
data.ziprelease with new hashes, allowing them to iterate on the infostealer without altering the visible repository structure.
The GitHub account used even hosts “clean” artifacts, such as the official embedded Python runtime and the pip installer, effectively bootstrapping a malicious environment using legitimate, signed tools.
The “PE-less” Architecture & Persistence
The malware establishes its operational base within the %APPDATA%\WindowsHelper directory. By deploying a self-contained Python environment, the attacker avoids the need for administrative privileges, allowing the malware to run in user-space and blend in with standard application data.
Stealth Operations: Obfuscation and Persistence
To ensure the implant remains invisible to the user, the campaign employs VBScript launchers (e.g., run.vbs) that invoke pythonw.exe. Because pythonw.exe is designed to run scripts without an attached console window, no command prompt appears during execution.

For long-term access, the malware registers a Windows Scheduled Task named “WindowsHelper.” This ensures that even after a system reboot, the Python-based agent is re-initialized at regular intervals.
The core logic, module.pyw, is highly resilient to reverse engineering. It is protected by PyArmor v9.x Pro, a commercial-grade obfuscation framework. PyArmor transforms Python bytecode into a format that is extremely difficult to decompile, forcing analysts to contend with heavily obfuscated logic that resists standard static inspection.
Surveillance and Exfiltration Capabilities
Analysis reveals that this is not a simple credential stealer, but a comprehensive surveillance suite. Its capabilities include:
- Credential Harvesting: The implant targets Chromium-based browsers and Firefox. It extracts AES-GCM master keys from
Local Statefiles, supporting both legacy DPAPI and modern Chrome encryption formats to decrypt saved passwords and session cookies. - Real-time Monitoring: It functions as a keylogger, monitors clipboard contents, and captures periodic desktop screenshots.
- Data Discovery: The malware recursively scans user directories for sensitive documents and cryptocurrency wallets, maintaining an
inventory_state.db(SQLite) to track exfiltrated files and prevent redundant uploads. - Account Takeover: It specifically targets
tdatafolders to steal Telegram session data, allowing for session hijacking without needing the user’s password. - Remote Access: The implant can silently install and configure legitimate remote desktop tools like RustDesk or AnyDesk, providing the attacker with a persistent, interactive backdoor.

All stolen data is funneled to a single VPS-hosted Command-and-Control (C2) server. The backend utilizes an nginx-fronted Flask application, complete with a custom dashboard designed for the attacker to manage multiple victim sessions efficiently.
Defensive Recommendations
While definitive attribution is ongoing, the combination of Russian-language lures, high-end obfuscation (PyArmor), and a sophisticated C2 stack strongly suggests a technically competent threat actor engaged in targeted espionage.
Security teams should prioritize the following:
- Monitor for suspicious LNK files originating from email attachments.
- Audit Scheduled Tasks for unusual entries like “WindowsHelper.”
- Flag unexpected execution of
python.exeorpythonw.exefrom the%APPDATA%directory. - Implement egress filtering to detect unusual traffic to newly created VPS or GitHub-related endpoints.
Indicators of Compromise (IOCs)
| Indicator | Indicator Type | Description |
| 8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79 | SHA-256 | Initial LNK dropper |
| 9be61c95056fd6b63565cf51a196f2615f5360c0a42e616b2a618473e9d60a21 | SHA-256 | Dementyeva_Anna_Vasilyevna_zayavka_gumanitarnayapomosch.rar |
| hxxp://159.198.41.140/static/builder/lnk_uploads/invo[.]pdf | URL | Lure PDF download |
| hxxp://159.198.41.140/test/index.php?r=survey/index&sid=936926&newtest=Y&lang=ru%22 | URL | Survey URL |
| hxxps://github.com/leravalera2/dtfls/releases/download/dtfls/data.zip | URL | PyArmour packed malicious scripts |
| a5b782901829861a6f458db404e8ec1a99c65a48393525e681742bb2a5db454d | SHA-256 | module.pyw – packed Python stealer/RAT |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.