A newer campaign aimed at the Middle East and North Africa has been discovered, utilizing a modified version of the known AsyncRAT malware since September 2024.
According to researchers Klimentiy Galkin and Stanislav Pyzhov from Positive Technologies, “the campaign leverages social media for malware distribution and is linked to the current geopolitical climate in the region.” They noted that “the attackers host malware in legitimate online file-sharing accounts or Telegram channels created specifically for this purpose.”
Since fall 2024, the campaign is estimated to have affected around 900 victims, with the majority being located in Libya, Saudi Arabia, Egypt, Turkey, the United Arab Emirates, Qatar, and Tunisia.
The activity, attributed to a threat actor known as Desert Dexter, was first discovered in February 2025. It primarily involves creating temporary Facebook accounts and news channels to publish advertisements with links to a file-sharing service or Telegram channel.
The links provided in these advertisements redirect users to a modified version of the AsyncRAT malware. This modified version includes features such as an offline keylogger, the ability to search for 16 different cryptocurrency wallet extensions and applications, and communication with a Telegram bot.
The attack begins with a RAR archive containing either a batch script or a JavaScript file. These files are programmed to execute a PowerShell script, initiating the second stage of the attack.
Specifically, the script terminates processes related to various .NET services, deletes certain files, and creates new files to establish persistence on the system. It then gathers and exfiltrates system information to a Telegram bot, captures a screenshot, and launches the AsyncRAT payload by injecting it into the “aspnet_compiler.exe” executable.
The identity of the individuals behind the campaign remains unknown, although Arabic language comments in the JavaScript file suggest possible origins.
Further analysis of messages sent to the Telegram bot has revealed details such as screenshots of the attacker’s desktop and tools used. A link to a Telegram channel named “dexterlyly” was also found, potentially indicating the threat actor’s connection to Libya.
Researchers noted that “the majority of victims are ordinary users, including employees in sectors such as oil production, construction, information technology, and agriculture.”
Despite the tools used by Desert Dexter not being sophisticated, the combination of Facebook ads, legitimate services, and references to the geopolitical situation has led to numerous device infections.
This development comes as QiAnXin revealed details of a spear-phishing campaign dubbed Operation Sea Elephant. This campaign targets scientific research institutions in China with the goal of delivering a backdoor capable of harvesting sensitive information related to ocean sciences and technologies.
The activity has been attributed to a cluster named UTG-Q-011, a subset within another adversarial collective called CNC group. This group shares tactical overlaps with Patchwork, a threat actor suspected to be from India.
