A coordinated espionage campaign targeted a Libyan oil refinery, a telecommunications organization, and a state institution between November 2025 and February 2026. The operation deployed AsyncRAT to establish long-term surveillance within critical infrastructure environments. 
Security researchers identified the activity during forensic investigations, uncovering politically themed lure documents specifically crafted to target Libyan organizations.
Why AsyncRAT Was Used
AsyncRAT is a publicly available remote access Trojan widely used by both cybercriminals and state-sponsored actors due to its flexibility and stealth.
Capabilities
- Keystroke logging
- Screenshot capture
- Remote command execution
- Modular plugin support
- Persistent surveillance
Because it is open-source and widely accessible, attribution becomes significantly more difficult.
Politically Themed Lure Documents
Attackers used localized and politically sensitive topics to increase credibility.
One lure referenced the killing of Saif al-Gaddafi, leveraging geopolitical tension to entice victims into opening malicious files.
Example filename:
- “Leaked CCTV footage – Saif al-Gaddafi’s assassination.gz”
This targeted social engineering strongly indicates deliberate intelligence-gathering objectives.
Targeted Critical Infrastructure
The campaign focused on:
- Oil refinery operations
- Telecommunications provider
- Government institution
The attack’s focus on Libya’s energy sector is significant given the country’s growing oil production and strategic geopolitical importance.
Timeline of Activity
- April 2025 – Early indicators appear
- November 2025 – Persistent access established
- December 2025 – Additional activity observed
- February 2026 – Campaign continues
- March 2026 – Investigation reveals scope
This demonstrates a long-running intelligence operation.
Multi-Stage Infection Chain
Stage 1 – Spear Phishing
Victims received emails with locally themed lure documents.
Example malicious file:
- video_saif_gadafi_2026.vbs
Stage 2 – VBS Downloader
The VBS script downloaded additional payloads from cloud hosting infrastructure.
Stage 3 – PowerShell Dropper
The downloader retrieved a disguised file:
- image.png (PowerShell dropper)
This dropper created persistence using a scheduled task.
Stage 4 – Scheduled Task Persistence
The malware created a task named:
- “devil”
Configuration stored at:
- C:\Users\Public\Music\Googless.xml
The task executed at a later time, then deleted itself to evade detection.
Stage 5 – AsyncRAT Deployment
Finally, AsyncRAT was deployed, enabling:
- Remote system control
- Data exfiltration
- Surveillance activity
- Capability updates
Indicators of Compromise
Security teams should monitor for:
- Suspicious VBS execution
- Scheduled tasks from XML files
- PowerShell dropper activity
- Public directory persistence files
- Unexpected outbound connections
Target Sector Risks
| Sector | Risk |
|---|---|
| Energy | Operational espionage |
| Telecom | Communication interception |
| Government | Intelligence gathering |
| Critical Infrastructure | Long-term compromise |
Mitigation Recommendations
Organizations should implement:
- Spear-phishing awareness training
- Script execution restrictions
- PowerShell monitoring
- Scheduled task auditing
- Endpoint detection deployment
Detection Tips
Watch for:
- Scheduled tasks created from public folders
- VBS execution from external sources
- PowerShell processes spawning unexpectedly
- AsyncRAT behavioral indicators
- Unknown outbound command-and-control traffic
Key Takeaways
- AsyncRAT used for long-term espionage
- Libya critical infrastructure targeted
- Politically themed lures deployed
- Multi-stage infection chain
- Persistent surveillance capabilities
Conclusion
This campaign highlights how open-source malware like AsyncRAT can be leveraged for sophisticated espionage operations. By combining spear-phishing, scripting-based delivery, and stealth persistence mechanisms, attackers maintained access to sensitive infrastructure for months.
Organizations in energy, telecom, and government sectors should prioritize:
- Enhanced email security
- Script execution controls
- Endpoint monitoring
- Behavioral detection
Proactive defense is essential to prevent long-term intelligence gathering campaigns.
