A targeted cyber espionage campaign against Libyan organizations has compromised an oil refinery, a telecommunications provider, and a state institution between November 2025 and February 2026.
The campaign stands out due to its focus on critical infrastructure, particularly Libya’s oil sector. The country produced around 1.37 million barrels of oil per day in 2025, its highest output in over a decade.
At a time when geopolitical tensions in the Gulf region are already impacting global energy markets, the targeting of oil infrastructure outside the immediate conflict zone signals a broader risk to global supply chains.
Researchers say the attacks deployed the AsyncRAT backdoor, a widely available remote access trojan often used in both cybercrime and state-linked operations, raising concerns about potential state-sponsored involvement.
Phishing and Infection Chain
The initial access vector is spear-phishing emails tailored to Libyan political and social events. Investigators found lure documents referencing current affairs, including one titled “Leaked CCTV footage – Saif al-Gaddafi’s assassination.gz.” Saif al-Gaddafi, a prominent political figure, was assassinated in February 2026, making the lure highly relevant and convincing.
Infected systems also contained malicious Visual Basic Script (VBS) files with topical names such as “video_saif_gadafi_2026.vbs.”
These scripts were downloaded from a file-sharing platform (KrakenFiles) and triggered a multi-stage infection process.
The VBS downloader fetched a PowerShell-based dropper disguised as an image file. This dropper created a scheduled task named “devil” using an XML configuration stored in a public directory. The task executed, established persistence, and then deleted itself to reduce forensic visibility.
The final payload delivered was AsyncRAT, a modular remote access trojan capable of keylogging, screen capture, credential theft, and remote command execution. Its flexibility and open-source availability make it attractive to a wide range of threat actors.
Analysis suggests the attackers maintained prolonged access to at least one oil company network, with activity observed in November and December 2025, and again in February 2026.
This persistence indicates a strategic objective, likely focused on intelligence gathering rather than immediate disruption.
Additional samples linked to the campaign were uploaded to VirusTotal as early as April 2025. These files also used Libya-themed naming conventions, such as:
- Audio_Libya_algeria.vbs.
- Voice_Egypt_hafter_Libya.vbs.
- Libya_Jordan_File.vbs.
- names_libya444.vbs.
All samples followed a similar execution pattern and ultimately deployed AsyncRAT, reinforcing the likelihood of a coordinated and sustained campaign targeting Libyan entities.
Broader Implications
While the use of AsyncRAT and the targeting of strategic sectors suggest possible state involvement, attribution remains inconclusive.
AsyncRAT is publicly accessible and has been used by both advanced persistent threat (APT) groups and financially motivated actors, making it difficult to tie the activity to a specific group.
However, the level of targeting, geopolitical context, and long-term persistence increase the likelihood that the campaign may be linked to state-aligned interests.
This campaign highlights how cyber actors exploit geopolitical instability to gain access to high-value targets. Libya’s ongoing political fragility, combined with rising global concern over energy security, creates an attractive environment for espionage operations.
Recent clashes in the Strait of Hormuz, through which roughly 20% of global oil supply passes, have intensified fears of supply disruption.
Some projections suggest oil prices could exceed 200200 USD per barrel if tensions escalate further. In this context, intelligence gathering on alternative oil producers like Libya becomes strategically valuable.
Security experts warn that organizations in the energy sector should remain on high alert. At the same time, all industries should be cautious of phishing campaigns leveraging current events, including geopolitical conflicts and economic instability, as bait.
The campaign serves as a reminder that cyber threats increasingly mirror global political dynamics, with attackers quickly adapting to exploit emerging crises for strategic gain.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
