GitHub lures deepen Windows infostealer threat

Cybersecurity researchers have identified a targeted espionage-style malware campaign that uses GitHub Releases to conceal payload delivery, combining phishing, trusted cloud infrastructure and a fileless Python implant to steal sensitive data from Windows systems.

The operation, tracked as Operation HumanitarianBait, begins with phishing emails carrying a malicious Windows shortcut file inside a RAR archive. The lure is built around Russian-language humanitarian aid material, including what appears to be an application form for assistance. Once opened, the shortcut launches a hidden infection chain while showing the victim a decoy document to reduce suspicion.

The campaign reflects a wider shift in malware delivery, where attackers rely less on obviously suspicious infrastructure and more on legitimate platforms that are common in enterprise traffic. GitHub, widely used by software developers and technology teams, becomes a convenient hiding place because downloads from the platform can appear routine to network monitoring systems. In this case, the malicious payload is stored as a release asset rather than visible source code, allowing operators to update it repeatedly while limiting scrutiny.

The first-stage LNK file is unusually large for a shortcut because it carries embedded, obfuscated content. PowerShell extracts and executes this content from within the file, a method designed to frustrate automated analysis. If the original shortcut is not present on disk, parts of the chain may fail to execute, reducing the chance that sandbox systems will observe the full behaviour.

After execution, the malware creates a self-contained Python environment in the user’s AppData directory under the name WindowsHelper, a label chosen to resemble a legitimate system component. The installation does not require administrator privileges, making it suitable for attacks against standard user accounts. The implant uses Python’s embedded distribution and supporting tools to run silently through pythonw. exe, avoiding a visible console window.

The main payload, delivered as a compressed file from GitHub Releases, is protected with PyArmor, a commercial obfuscation tool used to make Python bytecode harder to analyse. The same repository also hosts clean components such as the Python runtime and installer files, creating a mixed delivery chain in which malicious and legitimate downloads are pulled from the same trusted platform.

Persistence is established through Windows Task Scheduler. A task named WindowsHelper is configured to run at short intervals and survive reboot, giving the attacker steady access even after the victim restarts the machine. Silent VBScript launchers are used to invoke the payload without displaying windows, reinforcing the campaign’s low-visibility approach.

Once installed, the implant acts as a surveillance and theft platform. It targets stored browser passwords and cookies from Chrome, Edge, Brave, Opera, Yandex Browser and Firefox. It also captures session cookies, keystrokes, clipboard contents and screenshots. The malware scans local files for sensitive material, including documents, configuration files and strings that resemble private keys. Telegram session data is among the material sought, indicating an interest in both personal and organisational communications.

The malware also supports covert remote access through legitimate remote desktop tools such as RustDesk and AnyDesk. By installing widely used software rather than relying only on custom remote-access malware, the operators increase their chances of blending into normal endpoint activity. This technique gives attackers interactive control of infected systems and may allow follow-on activity beyond data theft.

Infrastructure observed in the campaign includes a command-and-control server used to deliver lures and receive stolen data in batches. The presence of multiple lure types, including a survey-themed variant, suggests that the operator is testing or adapting delivery methods rather than running a static one-off campaign. The Russian-language content points to Russian-speaking individuals or entities as likely targets, though firm attribution has not been established.

The operation fits a broader pattern in which attackers weaponise developer platforms, cloud services and collaboration tools for malware staging. GitHub repositories, GitHub Pages, npm packages, Hugging Face repositories and other trusted services have all been abused in separate malware campaigns to host payloads, redirect victims or exfiltrate data. The common objective is to exploit user and network trust while reducing the cost of maintaining attacker-controlled infrastructure.