Libyan Refinery Targeted in Prolonged Spy Campaign With AsyncRAT
A targeted cyber espionage campaign against Libyan organizations compromised a Libyan oil refinery, a telecommunications provider, and a state institution between November 2025 and February 2026.
The campaign is notable for its focus on critical infrastructure, especially Libya’s oil sector. The country produced approximately 1.37 million barrels of oil per day in 2025, its highest output in over a decade.
At a time when geopolitical tensions in the Gulf region are impacting global energy markets, targeting oil infrastructure outside the immediate conflict zone highlights broader risks to global supply chains.
Researchers indicate the campaign deployed the AsyncRAT backdoor, a widely available remote access trojan often used in both cybercrime and state-linked operations, raising concerns about potential state sponsorship.
Phishing and Infection Chain
The initial access occurred via spear-phishing emails tailored to Libyan political and social events. Investigators found lure documents referencing current affairs, including one titled “Leaked CCTV footage – Saif al-Gaddafi’s assassination.gz.” Saif al-Gaddafi, a prominent political figure, was assassinated in February 2026, making the lure highly relevant and convincing.
Infected systems contained malicious Visual Basic Script (VBS) files with topical names such as “video_saif_gadafi_2026.vbs.”
These scripts were downloaded from a file-sharing platform (KrakenFiles) and triggered a multi-stage infection process.
The VBS downloader fetched a PowerShell-based dropper disguised as an image file. This dropper created a scheduled task named “devil” using an XML configuration stored in a public directory. The task executed, established persistence, and then deleted itself to reduce forensic visibility.
The final payload delivered was AsyncRAT, a modular remote access trojan capable of keylogging, screen capture, credential theft, and remote command execution. Its flexibility and open-source availability make it attractive to various threat actors.
Analysis suggests attackers maintained prolonged access to at least one oil company network, with activity observed in November and December 2025, and again in February 2026. This persistence indicates a strategic intelligence-gathering objective rather than immediate disruption.
Additional samples linked to the campaign were uploaded to VirusTotal as early as April 2025. These files used Libya-themed naming conventions, such as:
- Audio_Libya_algeria.vbs.
- Voice_Egypt_hafter_Libya.vbs.
- Libya_Jordan_File.vbs.
- names_libya444.vbs.
All samples followed a similar execution pattern and ultimately deployed AsyncRAT, reinforcing the likelihood of a coordinated, sustained campaign targeting Libyan entities.
Broader Implications
While the use of AsyncRAT and targeting of strategic sectors suggest possible state involvement, attribution remains inconclusive.
AsyncRAT is publicly accessible and has been used by both advanced persistent threat (APT) groups and financially motivated actors, complicating ties to a specific group.
However, the level of targeting, geopolitical context, and long-term persistence increase the likelihood the campaign may be linked to state-aligned interests.
This campaign highlights how cyber actors exploit geopolitical instability for high-value access. Libya’s ongoing political fragility, combined with rising global concern over energy security, creates an attractive environment for espionage operations.
Recent clashes in the Strait of Hormuz, through which roughly 20% of global oil supply passes, have intensified fears of disruption. Some projections suggest oil prices could exceed $200 per barrel if tensions escalate further. In this context, intelligence gathering on alternative oil producers like Libya becomes strategically valuable.
Security experts warn energy sector organizations to remain on high alert. All industries should also be cautious of phishing campaigns leveraging current events, including geopolitical conflicts and economic instability, as bait.
The campaign serves as a reminder that cyber threats increasingly mirror global political dynamics, with attackers quickly adapting to exploit emerging crises for strategic gain.