By rssfeeds-admin 
Cyble Research and Intelligence Labs identified this sophisticated attack, which relies on social engineering to establish persistent and covert access to victim systems.
The threat actors initiate the infection through phishing emails containing a malicious Windows shortcut file hidden within a RAR archive.
To exploit contextual trust, the attackers disguise this shortcut file as a Russian humanitarian aid request form, strongly suggesting the campaign specifically targets Russian-speaking individuals or organizations.
Python Infostealer Abuses GitHub
The attack executes a multi-stage infection process deliberately designed to evade automated analysis and security scanners.
When a victim interacts with the malicious shortcut file, PowerShell extracts and executes self-obfuscated content directly in the system’s memory, this technique ensures the malware runs only when the original file is present, effectively bypassing traditional sandbox environments.
Following this initial access phase, the malware displays a decoy humanitarian aid document to the victim while silently building a self-contained Python environment in the background system folders.
To bypass network security tools, the threat actors retrieve the primary payload from GitHub Releases.
Storing the malicious Python implant on GitHub allows the download traffic to blend seamlessly with normal developer activity and legitimate software updates. The core implant is heavily obfuscated using PyArmor.
It operates as a fileless surveillance platform, executing without dropping traditional binary files onto the hard drive.
Once fully active, the infostealer extensively harvests sensitive data from the compromised machine.
The implant targets major web browsers to extract stored passwords and session cookies, logs keystrokes, monitors clipboard activity, and captures continuous desktop screenshots.
Furthermore, the malware exfiltrates local Telegram session directories, granting attackers unauthorized access to messaging accounts.
To ensure long-term control, the payload establishes persistence through a scheduled task named WindowsHelper.
It silently installs legitimate remote desktop applications such as TeamViewer or AnyDesk. This provides attackers with interactive remote access without generating a visible application window for the victim.
According to Cyble research, defending against Operation HumanitarianBait requires a combination of user vigilance and proactive endpoint monitoring.
Security teams should treat unsolicited compressed archives and shortcut files delivered via email with extreme caution, verifying the sender through trusted channels before interaction.
Enabling file extension visibility in Windows can help users identify malicious files disguised with misleading extensions.
Indicators of Compromise
| Indicator Type | Indicator | Description |
|---|---|---|
| SHA-256 | 8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79 | Initial LNK dropper file |
| SHA-256 | 9be61c95056fd6b63565cf51a196f2615f5360c0a42e616b2a618473e9d60a21 | Dementyeva_Anna_Vasilyevna_zayavka_gumanitarnayapomosch.rar |
| SHA-256 | a5b782901829861a6f458db404e8ec1a99c65a48393525e681742bb2a5db454d |
module.pyw – packed Python stealer/RAT |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Python Infostealer Uses GitHub Releases To Bypass Security Tools appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.