A new Python spyware campaign dubbed Operation HumanitarianBait is currently targeting Russian speakers by weaponizing the very documents meant to help them. This discovery, made by Cyble Research and Intelligence Labs (CRIL), shows that cybercriminals are making clever use of trusted web services to hide a powerful surveillance tool and using the guise of Russian humanitarian aid efforts to infect systems with it.
Infection Chain and Delivery Methods
According to researchers, the campaign is currently active as of May 2026. The attack starts with sending phishing emails containing a RAR archive, inside which is a malicious LNK file (SHA-256: 8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79).
This isn’t a simple shortcut because it contains hidden code that PowerShell extracts and runs in memory. With this anti-sandbox technique, the hackers ensure the malware stays inert when being tested by automated security scanners.
“This is a deliberate anti-sandbox technique, as the malware will not execute if the original file is absent from disk, making it appear clean to automated scanning tools,” researchers explained in the blog post.
To prevent the victim from becoming suspicious, the malware opens a PDF decoy titled “O predostavlenii gumanitarnoy pomoshchi” (meaning- Regarding the provision of humanitarian aid), and while the victim is busy checking this aid form, fetched from the Command and Control (C2) server at 159.198.41.140, the real damage happens in the background.
Technical Capabilities
The attack uses a fileless (PE-less) Python architecture. To stay hidden, the hackers host their payload on GitHub Releases. This allows the malicious traffic to blend in with legitimate software updates. The malware creates a self-contained environment in the %appdata%WindowsHelper folder and uses PyArmor v9.2 Pro to obfuscate the code, making it difficult for security software to read.
Cyble’s research reveals that the main payload, module.pyw, operates as a full surveillance platform with a wide range of capabilities. Module.pyw starts its malicious activities by stealing passwords and session cookies from Chromium-based browsers, including Chrome, Edge, Brave, Opera, and Yandex, and Firefox, using AES-GCM decryption.
Then it targets Telegram session data and scans user directories for cryptocurrency private keys. For active monitoring, the implant uses the keyboard library to log keystrokes and the mss library to capture continuous screenshots. It even quietly installs RustDesk or AnyDesk to provide the hackers with interactive remote desktop access.
Persistence and Attribution
Attackers ensure long-term access by registering a Windows Scheduled Task named WindowsHelper. This executes VBScript launchers (run.vbs and launch_module.vbs) to restart the malware whenever the system reboots. Their C2 infrastructure is hosted by Namecheap, and a Flask backend is used to manage the stolen data.
Although Cyble hasn’t officially named the specific group responsible, they believe that the involvement of Russian-language lures and humanitarian themes suggests the targets are Russian-speakers or government entities. And, since the attackers are frequently updating the data.zip files on GitHub, researchers conclude that this is an evolving threat.
The Operation HumanitarianBait campaign shows how recent cyberattacks have become harder to detect by combining social engineering, trusted platforms, and stealth-focused malware design. By disguising malicious files as humanitarian aid documents and hiding payloads inside legitimate services like GitHub Releases, the attackers created an operation capable of long-term surveillance and credential theft while avoiding many traditional security controls.
Its ability to steal browser data, monitor user activity, capture cryptocurrency credentials, and establish remote access makes it a serious threat, especially for Russian-speaking targets and government-related entities. The campaign also shows a trend in cybercrime, where attackers increasingly rely on fileless techniques, obfuscation, and legitimate infrastructure to stay active and evolve their operations.
