New Infostealer Attacks Use GitHub Releases for Evasion
Key Takeaways A new cyberespionage campaign, dubbed “HumanitarianBait,” uses phishing emails and GitHub Releases to distribute a sophisticated Python-based infostealer. The attackers...
Key Takeaways
- A new cyberespionage campaign, dubbed “HumanitarianBait,” uses phishing emails and GitHub Releases to distribute a sophisticated Python-based infostealer.
- The attackers leverage GitHub’s trusted reputation by hosting malicious payloads in the less-scrutinized “Releases” section of a seemingly legitimate account.
- The multi-stage infection chain deploys a persistent surveillance platform capable of exfiltrating sensitive data, including browser credentials, keystrokes, and Telegram sessions, and establishing remote desktop access.
- The campaign primarily targets Russian-speaking individuals, using lures disguised as humanitarian aid requests.
Sophisticated Infostealer Campaign Leverages GitHub Releases for Evasion
A recently identified cyberespionage operation is employing an ingenious tactic to circumvent conventional security measures, masquerading malicious software as a plea for humanitarian aid while strategically concealing its true payload on GitHub. This campaign, named “HumanitarianBait” by researchers, demonstrates a level of sophistication that belies its seemingly straightforward lure.
Table Of Content
Initial Infection Vector and Evasion Tactics
The attack commences with a phishing email containing a RAR archive. Inside this archive resides a Windows shortcut (LNK) file, deceptively presented as a form for requesting Russian-language humanitarian assistance. Upon execution by the victim, the infection sequence quietly initiates in the background, simultaneously displaying a convincing, benign document to deflect suspicion. Analysts at Cyble Research and Intelligence Labs, who uncovered this campaign, highlighted the significant effort invested by the threat actor to make the attack appear routine and blend into normal user activity.
A crucial element of the attacker’s strategy involves utilizing GitHub, a platform widely regarded as secure by most security tools, for hosting and delivering the malicious payload. This choice allows harmful downloads to blend seamlessly with legitimate developer traffic, making detection considerably more challenging for network monitoring solutions.
GitHub Releases: A Covert Payload Hosting Strategy
The malware deploys a Python-based implant designed to operate without leaving a traditional executable file on the compromised system. Once established, it functions as a comprehensive surveillance platform, silently collecting browser passwords, session cookies, keystrokes, clipboard contents, screenshots, Telegram session data, and other sensitive files from the victim’s machine.
While definitive attribution for the “HumanitarianBait” campaign remains elusive, the use of Russian-language lures and the humanitarian aid theme strongly suggest that the intended targets are Russian-speaking individuals.
One of the most deliberate decisions in this campaign is the method of payload storage. Rather than placing the malicious files directly within a GitHub repository, which is frequently scanned by automated systems, the attacker uploaded them to the GitHub Releases section of a carefully curated account. Release artifacts typically receive less automated scrutiny, and updates can be pushed without generating a visible commit history, further aiding in stealth.
Compounding the evasion, the same GitHub account hosts entirely legitimate files, including a Python runtime installer and a standard pip setup file. This creates an environment where all downloads from the account appear to be normal developer activity, even to advanced network monitoring tools.
The primary payload file, named data.zip, has been observed being republished repeatedly with altered hash values, indicating active maintenance and updates to the campaign by the threat actor. The payload itself is further protected using PyArmor v9.2 Pro, a commercial obfuscation tool that renders the Python code highly resistant to static analysis and decompilation efforts.
Multi-Stage Infection and Persistent Surveillance
The infection chain is meticulously constructed in several stages. Following the execution of the LNK file, PowerShell reads obfuscated content embedded at a specific offset within the shortcut file and executes it directly in memory. This anti-sandbox technique ensures the malware will not run if the original file is missing, allowing it to appear clean during automated analysis.
Subsequently, the malware constructs a self-contained Python environment within the user’s AppData folder, a location that does not require administrator privileges. This directory is misleadingly named “WindowsHelper” to mimic a legitimate Windows component. Two VBScript launchers are then used to run the payload silently, and a Windows Scheduled Task is created to ensure the implant automatically restarts every few minutes, maintaining persistence even after system reboots.
Beyond its data collection capabilities, the implant can covertly download and install legitimate remote desktop software such as RustDesk or AnyDesk, granting the attacker live remote access without any visible window appearing on the victim’s screen. All exfiltrated data is transmitted to a command-and-control (C2) server hosted on a commercial Virtual Private Server (VPS) provider, which was confirmed to be active as of May 2026.
What You Should Do
- Exercise Caution with Email Attachments: Treat unexpected compressed files (e.g., RAR, ZIP) and shortcut attachments (LNK files) in emails with extreme suspicion, especially if they claim to be humanitarian aid requests or come from unknown senders.
- Enable File Extensions: Configure Windows to always show file extensions. This helps identify malicious files disguised with misleading names (e.g.,
document.pdf.lnkinstead ofdocument.pdf). - Monitor Scheduled Tasks: Regularly audit Windows Scheduled Tasks for any unfamiliar or suspicious entries, particularly those set to run from user-space directories like
AppData. - Monitor Scripting Tool Activity: Implement monitoring for scripting tools (like PowerShell or Python) executing from unusual locations, especially user-writable directories.
- Implement Endpoint Detection and Response (EDR): Utilize EDR solutions to detect and respond to suspicious behaviors, such as the creation of new scheduled tasks or unusual process execution chains.
- Educate Users: Conduct regular cybersecurity awareness training to educate users about phishing tactics, social engineering, and the dangers of opening unknown attachments.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.