Libyan Oil Refinery Hit by Long-Running AsyncRAT Esp

Between November 2025 and February 2026, a coordinated espionage campaign compromised a Libyan oil refinery, a telecoms organization, and a state institution.

The attacks delivered AsyncRAT, a publicly available remote access Trojan with a documented history of use by state-sponsored threat groups, raising immediate concerns about the security of Libya’s critical infrastructure.

AsyncRAT is an open-source remote access tool that gained traction among both cybercriminal groups and nation-state actors thanks to its modular build and broad surveillance capabilities.

It can log keystrokes, capture screenshots, and execute commands remotely, all of which make it highly effective for extended intelligence gathering.

Since it is freely accessible and not tied to a single known actor, attributing attacks that use it is inherently difficult for investigators.

Symantec researchers identified the campaign following a forensic analysis of compromised networks, where they uncovered lure documents tied to Libyan political events.

One document was titled “Leaked CCTV footage – Saif al-Gaddafi’s assassination.gz,” capitalizing on the February 3, 2026, killing of Saif al-Gaddafi, the second son of former leader Muammar Gaddafi.

The targeted nature of these lures made it clear the attackers had specifically set their sights on Libyan organizations.

Libya’s energy sector has become increasingly significant, with the country recording oil production of 1.37 million barrels per day last year — its highest in roughly 12 years.

Against a backdrop of Gulf region conflict and fears of oil prices climbing above $200 a barrel, targeting a Libyan refinery carries clear geopolitical weight.

Clashes in the Strait of Hormuz, through which about 20% of global oil supply flows, have already unsettled world energy markets and drawn growing attention toward oil producers beyond Iran.

Files on VirusTotal suggest this campaign may have started as early as April 2025, with several files bearing Libya-themed names pointing to a long-running, focused targeting effort.

The threat actor is believed to have held persistent access to the oil company’s network from November 2025 through mid-February 2026, with additional activity recorded in December 2025, revealing the clear intent to maintain a quiet foothold for intelligence collection.

Multi-Stage Infection Chain

The infection began with a spear-phishing email carrying a locally themed lure document designed to attract the target’s attention.

A VBS downloader bearing a politically relevant filename, such as video_saif_gadafi_2026.vbs, was also found on affected machines and was pulled from KrakenFiles, a cloud-based file hosting platform, marking the start of a carefully staged, multi-step compromise.

Once the VBS file executed, it downloaded a PowerShell dropper hidden under the filename image.png, which proceeded to create a Windows scheduled task called “devil” from an XML configuration file stored at C:UsersPublicMusicGoogless.xml.

This task ensured the dropper would run at a predetermined time, after which the task was deleted to remove visible traces of its presence and evade routine detection.

AsyncRAT was the final payload delivered after this sequence, granting the attacker full remote control over the infected system.

It could capture keystrokes, take screenshots, and execute commands, while its modular nature allowed the attacker to quietly push capability updates without disrupting the ongoing operation.

This combination of flexibility and stealth made AsyncRAT an ideal tool for a campaign driven by long-term intelligence gathering.

Organizations in the energy sector, along with those in government and telecommunications, should reinforce defenses against spear-phishing by training staff to recognize politically themed lure tactics, particularly those tied to current events.

Security teams should set up monitoring rules for unusual scheduled task creation, especially tasks linked to XML files placed in publicly accessible directories, as this directly mirrors the persistence approach used in this campaign.

Execution of VBS and other scripting files from untrusted or external sources should be restricted, and PowerShell usage should be limited to authorized, monitored processes to cut off this type of multi-stage dropper delivery.

Deploying endpoint detection tools that can identify AsyncRAT’s behavioral patterns — such as unauthorized keylogging, screen capture activity, and outbound command-and-control connections — is essential for any organization operating in a high-risk sector.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.