A new campaign targeting the Middle East and North Africa has been distributing a modified version of the AsyncRAT malware since September 2024. According to researchers Klimentiy Galkin and Stanislav Pyzhov from Positive Technologies, this campaign utilizes social media to spread the malware and is closely linked to the region’s geopolitical situation. The attackers host the malware on legitimate file-sharing accounts or dedicated Telegram channels.
Since the fall of 2024, the campaign has reportedly affected around 900 victims, with most located in Libya, Saudi Arabia, Egypt, Turkey, the United Arab Emirates, Qatar, and Tunisia. The activity, attributed to a threat actor known as Desert Dexter, was identified in February 2025. It primarily involves creating temporary Facebook accounts and news channels to post ads that contain links to file-sharing services or Telegram channels.
These links lead users to a modified version of AsyncRAT malware, which now includes an offline keylogger, searches for 16 different cryptocurrency wallet extensions and applications, and interacts with a Telegram bot. The attack begins with a RAR archive that contains either a batch script or a JavaScript file, which executes a PowerShell script to initiate the second phase of the attack. This phase involves terminating processes linked to various .NET services that might hinder the malware’s execution, deleting files with the extensions BAT, PS1, and VBS from specific folders, and creating new VBS, BAT, and PS1 files in designated locations.
The script establishes persistence on the system, collects and sends system information to a Telegram bot, captures a screenshot, and ultimately executes the AsyncRAT payload by injecting it into the “aspnet_compiler.exe” file. The identity of those behind the campaign remains unclear, although Arabic comments in the JavaScript file hint at their possible origin.
Further investigation of the messages sent to the Telegram bot has uncovered screenshots of the attacker’s desktop labeled “DEXTERMSI,” which includes the PowerShell script and a tool called LuminosityLink RAT. Additionally, the Telegram bot contains a link to a channel named “dexterlyly,” indicating that the threat actor may be from Libya. This channel was created on October 5, 2024.
Researchers noted that most victims are regular users, including employees in sectors such as oil production, construction, information technology, and agriculture.
They stated, “The tools used by Desert Dexter are not particularly advanced. However, the combination of Facebook ads with legitimate services and references to the geopolitical situation has resulted in the infection of many devices.”
This development coincides with QiAnXin’s disclosure of a spear-phishing campaign called Operation Sea Elephant, which targets scientific research institutions in China with the intent of deploying a backdoor to collect sensitive information related to ocean sciences and technologies. This activity has been linked to a group identified as UTG-Q-011, which is part of a larger adversarial collective known as the CNC group, sharing tactical similarities with Patchwork, a threat actor believed to be based in India.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
