Libyan Oil Refinery Targeted by AsyncRAT Espionage Campaign
Key Takeaways A sophisticated espionage campaign targeted a Libyan oil refinery, a telecommunications provider, and a state entity between November 2025 and February 2026. The attacks utilized...
Key Takeaways
- A sophisticated espionage campaign targeted a Libyan oil refinery, a telecommunications provider, and a state entity between November 2025 and February 2026.
- The attacks utilized AsyncRAT, a publicly available remote access Trojan known for its use by state-sponsored threat groups.
- The campaign leveraged politically themed lure documents and a multi-stage infection chain to establish persistent access for intelligence gathering.
- The targeting of Libya’s critical infrastructure carries significant geopolitical implications amidst global energy market volatility.
A recent espionage campaign, active from November 2025 to February 2026, successfully breached a Libyan oil refinery, a telecommunications organization, and a government institution. The attacks deployed AsyncRAT, a widely accessible remote access Trojan (RAT), raising serious alarms about the resilience of Libya’s critical infrastructure against advanced cyber threats.
Table Of Content
AsyncRAT is an open-source remote access tool frequently adopted by both cybercriminal elements and nation-state actors. Its modular design and comprehensive surveillance capabilities make it a potent instrument for long-term intelligence operations. The RAT is capable of keystroke logging, screen capturing, and remote command execution, all crucial functions for sustained espionage. Due to its public availability and lack of association with a single threat actor, attributing attacks involving AsyncRAT presents a significant challenge for cybersecurity investigators.
Researchers at Symantec identified the campaign during forensic investigations of compromised networks. Their analysis uncovered lure documents specifically crafted around Libyan political events. One such document, titled “Leaked CCTV footage – Saif al-Gaddafi’s assassination.gz,” exploited the February 3, 2026, killing of Saif al-Gaddafi, the son of former leader Muammar Gaddafi. The highly specific nature of these lures strongly indicates that the attackers had a precise focus on Libyan targets.
Libya’s energy sector has seen increasing strategic importance, with the nation achieving an oil production rate of 1.37 million barrels per day last year—its highest in approximately 12 years. The targeting of a Libyan refinery carries significant geopolitical weight, especially amid ongoing conflicts in the Gulf region and concerns over potential oil price surges above $200 a barrel. Disruptions in critical shipping lanes like the Strait of Hormuz, which handles roughly 20% of global oil supply, have already destabilized world energy markets and heightened scrutiny on oil producers outside of Iran.
Evidence from VirusTotal suggests that this campaign might have commenced as early as April 2025, with several Libya-themed filenames pointing to a prolonged and concentrated targeting effort. The threat actor is believed to have maintained persistent access to the oil company’s network from November 2025 through mid-February 2026, with additional activity noted in December 2025. This sustained presence underscores a clear objective to establish and maintain a covert foothold for intelligence collection.
Multi-Stage Infection Chain
The attack sequence initiated with a spear-phishing email containing a locally themed lure document designed to entice the target. Forensic analysis of affected machines revealed a VBS downloader with a politically relevant filename, such as video_saif_gadafi_2026.vbs. This downloader was retrieved from KrakenFiles, a cloud-based file hosting platform, marking the commencement of a meticulously planned, multi-step compromise.
Upon execution, the VBS file downloaded a PowerShell dropper, disguised as image.png. This dropper then proceeded to create a Windows scheduled task named “devil” using an XML configuration file located at C:UsersPublicMusicGoogless.xml. This scheduled task ensured the dropper would execute at a predetermined time, after which the task was deleted to obscure its presence and evade detection.
AsyncRAT was the ultimate payload delivered through this sophisticated chain, granting the attackers full remote control over the compromised system. Its capabilities included keystroke logging, screenshot capture, and remote command execution. The RAT’s modular architecture allowed the attackers to deploy capability updates discreetly, without disrupting ongoing operations. This combination of adaptability and stealth made AsyncRAT an ideal tool for a campaign focused on long-term intelligence gathering.
What You Should Do
- Strengthen Spear-Phishing Defenses: Implement rigorous security awareness training for all staff, emphasizing the recognition of politically themed lure tactics, particularly those related to current events.
- Monitor Scheduled Task Creation: Establish monitoring rules for unusual scheduled task creation, especially tasks linked to XML files in publicly accessible directories, mirroring the persistence mechanism used in this campaign.
- Restrict Script Execution: Limit the execution of VBS and other scripting files from untrusted or external sources. Enforce strict controls and monitoring over PowerShell usage, restricting it to authorized and monitored processes to prevent multi-stage dropper delivery.
- Deploy Advanced Endpoint Detection: Utilize endpoint detection and response (EDR) tools capable of identifying AsyncRAT’s behavioral patterns, such as unauthorized keylogging, screen capture activities, and suspicious outbound command-and-control communications.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.