Operation HumanitarianBait Uses Fake Aid Documents to Deploy Python Spyware

Operation HumanitarianBait is an active Python-based spyware campaign targeting Russian speakers by using phishing RAR attachments containing malicious LNK files that launch an in-memory, fileless payload hosted via GitHub Releases; the implant exfiltrates browser and Telegram credentials, scans for crypto keys, logs keystrokes and screenshots, installs remote-access tools, and persists via a Windows Scheduled Task while communicating with C2 infrastructure (e.g., 159.198.41.140) hosted on Namecheap.