Cyble Research and Intelligence Labs has uncovered a targeted cyberespionage campaign dubbed Operation HumanitarianBait. The attack uses phishing emails with a malicious LNK file inside a RAR archive, disguised as a Russian-language humanitarian aid request form. Once executed, a multi-stage infection chain silently deploys a fileless, PyArmor-obfuscated Python implant while showing the victim a decoy document. The payload is hosted on GitHub Releases to blend with legitimate traffic. The implant provides full surveillance capabilities: browser credential and cookie harvesting, keylogging, clipboard monitoring, screenshot capture, Telegram session theft, file exfiltration, and silent remote desktop access via RustDesk or AnyDesk. Persistence is maintained through a Windows Scheduled Task named 'WindowsHelper'. The C2 server runs a custom Flask-based dashboard. Attribution remains inconclusive, but Russian-speaking individuals appear to be the intended targets.
Table of contents
Executive SummaryKey TakeawaysTechnical AnalysisConclusionRecommendationsMITRE ATT&CK TTPsIndicators of Compromise (IOCs)Sort: