Operation HumanitarianBait: An Infostealer Campaign in Disguise

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – The attack is delivered through a malicious archive attachment containing a shortcut file, using a lure about aid requests (‘Malicious LNK file inside a RAR archive, delivered as a Russian-language humanitarian aid’).
• [T1204.002] User Execution: Malicious File – Infection starts when the victim opens the LNK file and triggers the chain (‘The victim must open the LNK file to trigger the infection chain’).
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell extracts obfuscated content from the shortcut and executes it in memory (‘PowerShell reads content from a specific offset within the LNK file and executes the obfuscated payload’).
• [T1059.005] Command and Scripting Interpreter: VBScript – Silent VBScript launchers start the payload without visible windows (‘run.vbs and launch_module.vbs silently invokes the Python payload with no visible window’).
• [T1059.006] Command and Scripting Interpreter: Python – The main surveillance implant is written in Python and launched with pythonw.exe (‘Core surveillance implant written in Python, executed via windowless pythonw.exe’).
• [T1053.005] Scheduled Task/Job: Scheduled Task – A Windows task named WindowsHelper keeps the implant persistent across reboots (‘WindowsHelper scheduled task fires every 5 minutes indefinitely and survives system reboots’).
• [T1027.002] Obfuscated Files or Information: Software Packing – PyArmor is used to pack and obscure the payload to hinder static analysis (‘Python payload packed with PyArmor v9.2 Pro to resist static analysis and decompilation’).
• [T1036.005] Masquerading: Match Legitimate Name or Location – The malware hides under a legitimate-looking directory name to blend in (‘WindowsHelper directory name mimics a legitimate Windows system component’).
• [T1105] Ingress Tool Transfer – The payload is downloaded at runtime from GitHub Releases to abuse trusted infrastructure (‘Payload (data.zip) downloaded at runtime from GitHub Releases, abusing trusted infrastructure’).
• [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Stored passwords and cookies are extracted from multiple browsers (‘Collects stored passwords and cookies from Chrome, Edge, Brave, Opera, Yandex Browser, and Firefox’).
• [T1539] Steal Web Session Cookie – Session cookies are specifically collected from the victim browser profiles (‘Session cookies collected’).
• [T1552.001] Unsecured Credentials: Credentials in Files – The malware scans for files containing private-key-like hexadecimal strings (‘Scans for files containing 64-character hex strings consistent with private keys’).
• [T1056.001] Input Capture: Keylogging – Keystrokes are recorded continuously for later upload (‘The keyboard library captures all keystrokes continuously and stores them for upload’).
• [T1115] Clipboard Data – Clipboard contents are monitored in real time to steal copied secrets (‘pyperclip monitors and collects clipboard contents in real time’).
• [T1113] Screen Capture – Continuous screenshots are taken and archived for exfiltration (‘mss library takes continuous desktop screenshots and archives’).
• [T1005] Data from Local System – The implant recursively scans user directories to collect high-value local files (‘A selective recursive scan collects documents and configuration files from user directories’).
• [T1071.001] Application Layer Protocol: Web Protocols – Collected data is uploaded over HTTP to the attacker’s server (‘HTTP used to upload all collected data to the C2 server at 159.198.41[.]140’).
• [T1219] Remote Access Software – RustDesk and AnyDesk are silently installed for covert interactive access (‘RustDesk and AnyDesk are silently installed for persistent interactive remote desktop access’).
• [T1041] Exfiltration Over C2 Channel – Data is batched and sent to the attacker-controlled server over the command-and-control channel (‘All collected data was uploaded to the attacker-controlled C2 server in batched archives’).