By rssfeeds-admin 
Operating between November 2025 and February 2026, the threat actors deployed the publicly available AsyncRAT backdoor to compromise networks and maintain persistent access.
Given the strategic nature of the targeted organizations and the malware’s intelligence-gathering capabilities, security researchers suspect this activity may be the work of a state-sponsored actor.
The targeting of a major oil producer is especially notable, as it predates recent geopolitical escalations in the Gulf region that have disrupted global energy markets.
The Attack Chain and Methodology
The campaign relied heavily on social engineering, with spear-phishing emails as the primary infection vector. Attackers utilized highly specific lure documents designed to exploit interest in Libyan current affairs.
One prominent example was a file named “Leaked CCTV footage – Saif al-Gaddafi’s assassination.gz,” which referenced the actual assassination of a major political figure that occurred in early February 2026.
This localized context strongly indicates that the campaign was a carefully planned, targeted operation rather than an opportunistic attack.
When a victim interacted with the lure, a VBScript downloader with a similarly topical filename was executed.
These downloaders retrieved files from Kraken Files, a popular cloud-based file hosting platform. The downloaded payload was a PowerShell dropper cleverly disguised as an image file.
Once executed, this dropper established persistence on the infected machine by creating a scheduled task named ‘devil’, which continually executed an XML file to ensure the malware remained active on the system.
Geopolitical Context and Indicators Of Compromise
The targeting of Libyan organizations highlights a growing trend of cyber threat actors capitalizing on regional instability.
Libya has experienced fluctuating stability for over a decade, and threat actors are increasingly using such environments to gain a foothold in critical infrastructure.
This tactic has severe implications given the current geopolitical climate. Recent clashes in the Strait of Hormuz have threatened the transit of global oil supplies, leading to predictions that crude oil prices could rise sharply.
Consequently, energy-producing nations outside the immediate conflict zones, such as Libya, are becoming highly attractive targets for intelligence gathering.
| File Hash (SHA-256) | Description |
|---|---|
| 12c65ac4e02313ed1aa2d32d56428f0a135b281604d536e5ae6ca08b6b4232c9 | AsyncRAT Payload |
| 0499152c6dd775491ce099eee4c382a94f72c07031081db164de921effa9664f | Executes AsyncRAT |
| 39eade26c5680d20f5a8032a0d3996a29058e52c147e4b49a2072d2dcb353325 | VBS downloader (video_saif_gadafi_2026.vbs) |
| c03120163d9401d66d482899421d9dd68db63d34bac2b32e3090e8ad0b911d83 | VBS downloader (audio_hafter_saif_eslam_rusia.vbs, list_names_libya.vbs) |
Organizations operating within the energy sector must recognize that they are prime targets for espionage during these tumultuous times.
Furthermore, all sectors should remain vigilant against threat actors who leverage topical global events as lures in spear-phishing campaigns.
To assist organizations in defending their networks, security researchers have published a list of Indicators of Compromise associated with this campaign.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Long-Term Espionage Campaign Hits Libyan Oil Refinery With AsyncRAT Malware appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.