AsyncRAT malware hits Libyan oil refinery as part of a long-term spying campaign.

A complex and long-term cyber espionage campaign has successfully attacked important infrastructure in Libya, such as an oil refinery, a telecommunications company, and a government building. From November 2025 to February 2026, the threat actors used the publicly available AsyncRAT backdoor to break into networks and keep access open. Researchers think that this activity may be the work of a state-sponsored actor because the targeted organizations are important to the country's strategy and the malware can gather information.

The fact that a major oil producer is being targeted is especially interesting because it happened before recent geopolitical tensions in the Gulf region that have messed up global energy markets. The Attack Chain and How It Works Social engineering was a big part of the campaign, and spear-phishing emails were the main way to get people sick.

Attackers used very specific lure documents that were meant to take advantage of people's interest in Libyan news. One well-known example was a file called "Leaked CCTV footage – Saif al-Gaddafi's assassination.gz," which talked about the real-life assassination of a major political figure that happened in early February 2026. This localized context strongly suggests that the campaign was a carefully planned, targeted operation rather than an opportunistic attack.

When a victim clicked on the lure, a VBScript downloader with a name that was similar to the topic was run. These downloaders got files from Kraken Files, which is a well-known cloud-based file hosting service. The payload that was downloaded was a PowerShell dropper that was cleverly disguised as an image file.

Once this dropper was run, it made the infected machine stay infected by making a scheduled task called "devil" that ran an XML file over and over again to keep the malware active on the system. Geopolitical Context and Signs of Compromise The targeting of Libyan organizations shows that cybercriminals are taking advantage of instability in the region more and more. For more than ten years, Libya's stability has been changing, and threat actors are using these kinds of situations more and more to get a foothold in important infrastructure.

This strategy has serious effects because of the way things are in the world right now. Recent fights in the Strait of Hormuz have put the flow of oil around the world at risk, and experts think that the price of crude oil could go up a lot.

As a result, countries that produce energy and are not directly involved in the conflict, like Libya, are becoming very appealing places for spies to gather information. SHA-256 File Hash Description 12c65ac4e02313ed1aa2d32d56428f0a135b281604d536e5ae6ca08b6b4232c9 AsyncRAT Payload 0499152c6dd775491ce099eee4c382a94f72c07031081db164de921effa9664f Executes AsyncRAT 39eade26c5680d20f5a8032a0d3996a29058e52c147e4b49a2072d2dcb353325 VBS downloader (video_saif_gadafi_2026.vbs) c03120163d9401d66d482899421d9dd68db63d34bac2b32e3090e8ad0b911d83 VBS downloader (audio_hafter_saif_eslam_rusia.vbs, list_names_libya.vbs) Companies in the energy sector need to know that they are prime targets for spying right now. In addition, all sectors should be on the lookout for threat actors who use current global events as bait in spear-phishing campaigns.

Security researchers have put out a list of Indicators of Compromise related to this campaign to help companies protect their networks.