Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
JetBrains Patches 6 Vulnerabilities in TeamCity, YouTrack, IntelliJ IDEA
July 16, 2026
WhatsApp GhostPairing Flaw Lets Attackers Hijack Accounts
July 16, 2026
Flipper Zero Add-On Detects Skimmers with Specter Tool
July 16, 2026
Home/Threats/New Infostealer Attacks Use GitHub Releases for Evasion
Threats

New Infostealer Attacks Use GitHub Releases for Evasion

Key Takeaways A new cyberespionage campaign, dubbed “HumanitarianBait,” uses phishing emails and GitHub Releases to distribute a sophisticated Python-based infostealer. The attackers...

David kimber
David kimber
May 8, 2026 4 Min Read
47 0

Key Takeaways

  • A new cyberespionage campaign, dubbed “HumanitarianBait,” uses phishing emails and GitHub Releases to distribute a sophisticated Python-based infostealer.
  • The attackers leverage GitHub’s trusted reputation by hosting malicious payloads in the less-scrutinized “Releases” section of a seemingly legitimate account.
  • The multi-stage infection chain deploys a persistent surveillance platform capable of exfiltrating sensitive data, including browser credentials, keystrokes, and Telegram sessions, and establishing remote desktop access.
  • The campaign primarily targets Russian-speaking individuals, using lures disguised as humanitarian aid requests.

Sophisticated Infostealer Campaign Leverages GitHub Releases for Evasion

A recently identified cyberespionage operation is employing an ingenious tactic to circumvent conventional security measures, masquerading malicious software as a plea for humanitarian aid while strategically concealing its true payload on GitHub. This campaign, named “HumanitarianBait” by researchers, demonstrates a level of sophistication that belies its seemingly straightforward lure.

Table Of Content

  • Key Takeaways
  • Sophisticated Infostealer Campaign Leverages GitHub Releases for Evasion
  • Initial Infection Vector and Evasion Tactics
  • GitHub Releases: A Covert Payload Hosting Strategy
  • Multi-Stage Infection and Persistent Surveillance
  • What You Should Do

Initial Infection Vector and Evasion Tactics

The attack commences with a phishing email containing a RAR archive. Inside this archive resides a Windows shortcut (LNK) file, deceptively presented as a form for requesting Russian-language humanitarian assistance. Upon execution by the victim, the infection sequence quietly initiates in the background, simultaneously displaying a convincing, benign document to deflect suspicion. Analysts at Cyble Research and Intelligence Labs, who uncovered this campaign, highlighted the significant effort invested by the threat actor to make the attack appear routine and blend into normal user activity.

A crucial element of the attacker’s strategy involves utilizing GitHub, a platform widely regarded as secure by most security tools, for hosting and delivering the malicious payload. This choice allows harmful downloads to blend seamlessly with legitimate developer traffic, making detection considerably more challenging for network monitoring solutions.

GitHub Releases: A Covert Payload Hosting Strategy

The malware deploys a Python-based implant designed to operate without leaving a traditional executable file on the compromised system. Once established, it functions as a comprehensive surveillance platform, silently collecting browser passwords, session cookies, keystrokes, clipboard contents, screenshots, Telegram session data, and other sensitive files from the victim’s machine.

While definitive attribution for the “HumanitarianBait” campaign remains elusive, the use of Russian-language lures and the humanitarian aid theme strongly suggest that the intended targets are Russian-speaking individuals.

One of the most deliberate decisions in this campaign is the method of payload storage. Rather than placing the malicious files directly within a GitHub repository, which is frequently scanned by automated systems, the attacker uploaded them to the GitHub Releases section of a carefully curated account. Release artifacts typically receive less automated scrutiny, and updates can be pushed without generating a visible commit history, further aiding in stealth.

Compounding the evasion, the same GitHub account hosts entirely legitimate files, including a Python runtime installer and a standard pip setup file. This creates an environment where all downloads from the account appear to be normal developer activity, even to advanced network monitoring tools.

The primary payload file, named data.zip, has been observed being republished repeatedly with altered hash values, indicating active maintenance and updates to the campaign by the threat actor. The payload itself is further protected using PyArmor v9.2 Pro, a commercial obfuscation tool that renders the Python code highly resistant to static analysis and decompilation efforts.

Multi-Stage Infection and Persistent Surveillance

The infection chain is meticulously constructed in several stages. Following the execution of the LNK file, PowerShell reads obfuscated content embedded at a specific offset within the shortcut file and executes it directly in memory. This anti-sandbox technique ensures the malware will not run if the original file is missing, allowing it to appear clean during automated analysis.

Subsequently, the malware constructs a self-contained Python environment within the user’s AppData folder, a location that does not require administrator privileges. This directory is misleadingly named “WindowsHelper” to mimic a legitimate Windows component. Two VBScript launchers are then used to run the payload silently, and a Windows Scheduled Task is created to ensure the implant automatically restarts every few minutes, maintaining persistence even after system reboots.

Beyond its data collection capabilities, the implant can covertly download and install legitimate remote desktop software such as RustDesk or AnyDesk, granting the attacker live remote access without any visible window appearing on the victim’s screen. All exfiltrated data is transmitted to a command-and-control (C2) server hosted on a commercial Virtual Private Server (VPS) provider, which was confirmed to be active as of May 2026.

What You Should Do

  • Exercise Caution with Email Attachments: Treat unexpected compressed files (e.g., RAR, ZIP) and shortcut attachments (LNK files) in emails with extreme suspicion, especially if they claim to be humanitarian aid requests or come from unknown senders.
  • Enable File Extensions: Configure Windows to always show file extensions. This helps identify malicious files disguised with misleading names (e.g., document.pdf.lnk instead of document.pdf).
  • Monitor Scheduled Tasks: Regularly audit Windows Scheduled Tasks for any unfamiliar or suspicious entries, particularly those set to run from user-space directories like AppData.
  • Monitor Scripting Tool Activity: Implement monitoring for scripting tools (like PowerShell or Python) executing from unusual locations, especially user-writable directories.
  • Implement Endpoint Detection and Response (EDR): Utilize EDR solutions to detect and respond to suspicious behaviors, such as the creation of new scheduled tasks or unusual process execution chains.
  • Educate Users: Conduct regular cybersecurity awareness training to educate users about phishing tactics, social engineering, and the dangers of opening unknown attachments.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Logitech G HUB Critical Flaw Lets Attackers Deploy Banking Trojan

Next Post

Facial Recognition Bypass: Fake Moustache Tricks Age Verification

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Zoom Windows Flient Flaw Lets Attackers Take Over Accounts via Network
July 16, 2026
TuxBot v3 IoT Botnet Hijacks Devices, Launches DDoS Attacks with LLM Code
July 16, 2026
Critical Windows Bug Lets Attackers Access SYSTEM Shell Without Credentials
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us