Researchers reported an active cyberespionage campaign dubbed Operation HumanitarianBait that uses Russian-language humanitarian aid request themes to lure victims into opening a malicious .lnk file packaged inside a .rar archive. The shortcut launches PowerShell to decode obfuscated content, opens a decoy humanitarian aid PDF to distract the user, and silently installs a fileless, PE-less Python implant from GitHub Releases into a fake WindowsHelper directory under %APPDATA%. The payload is protected with PyArmor v9.2 Pro, helping it evade scrutiny while blending into legitimate developer traffic.
Once installed, the malware establishes persistence through VBScript launchers and a recurring Windows Scheduled Task, then conducts broad surveillance and theft. Reported capabilities include browser credential and cookie theft, keylogging, clipboard and screenshot capture, file theft, and Telegram session theft, with optional covert remote access through RustDesk or AnyDesk. Stolen data is exfiltrated to a live custom Flask-based command-and-control server at 159.198.41[.]140 on a Namecheap VPS, and researchers said the Russian-language lures suggest the operation is aimed at Russian-speaking individuals or organizations, including those tied to aid distribution, civil administration, or government functions.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Cyble Research and Intelligence Labs reported an active cyberespionage campaign dubbed Operation HumanitarianBait that uses Russian-language humanitarian aid lures in phishing emails to deliver a malicious LNK file inside a RAR archive. The campaign installs a fileless, PE-less Python implant hosted on GitHub Releases, establishes persistence, steals credentials and other data, and communicates with a live C2 server at 159.198.41[.]140; attribution was not confirmed.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
hackread.com
Open sourcecybersecuritynews.com
Open sourcecyble.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.