Operation HumanitarianBait Uses Fake Aid Documents to Deploy Python Spyware

A new Python spyware campaign dubbed Operation HumanitarianBait is currently targeting Russian speakers by weaponizing the very documents meant to help them. This discovery, made by Cyble Research and Intelligence Labs (CRIL), shows that cybercriminals are making clever use of trusted web services to hide a powerful surveillance tool and using the guise of Russian humanitarian aid efforts to infect systems with it.

Infection Chain and Delivery Methods

According to researchers, the campaign is currently active as of May 2026. The attack starts with sending phishing emails containing a RAR archive, inside which is a malicious LNK file (SHA-256: 8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79).

This isn’t a simple shortcut because it contains hidden code that PowerShell extracts and runs in memory. With this anti-sandbox technique, the hackers ensure the malware stays inert when being tested by automated security scanners.

“This is a deliberate anti-sandbox technique, as the malware will not execute if the ...