The Middle East and North Africa have become the target of a new campaign that delivers a modified version of a known malware called AsyncRAT since September 2024.
“The campaign, which leverages social media to distribute malware, is tied to the region’s current geopolitical climate,” Positive Technologies researchers Klimentiy Galkin and Stanislav Pyzhov said in an analysis published last week. “The attackers host malware in legitimate online file-sharing accounts or Telegram channels set up specially for this purpose.”
The campaign is estimated to have claimed approximately 900 victims since the fall 2024, the Russian cybersecurity company added, indicating its widespread nature. A majority of the victims are located in Libya, Saudi Arabia, Egypt, Turkey, the United Arab Emirates, Qatar, and Tunisia.
The activity, attributed to a threat actor dubbed Desert Dexter, was discovered in February 2025. It chiefly involves creating temporary accounts and news channels on Facebook. These accounts are then used to publish advertisements containing links to a file-sharing service or Telegram channel.
The links, in turn, redirect users to a version of the AsyncRAT malware that has been altered to include an offline keylogger; search for 16 different cryptocurrency wallet extensions and applications; and communicate with a Telegram bot.
The kill chain starts with a RAR archive that either includes a batch script or a JavaScript file, which are programmed to run a PowerShell script that’s responsible for triggering the second stage of the attack.
Specifically, it terminates processes associated with various .NET services that could prevent the malware from starting, deletes files with the extensions BAT, PS1, and VBS from “C:ProgramDataWindowsHost” and “C:UsersPublic” folders, and creates a new VBS file in C:ProgramDataWindowsHost, and BAT and PS1 files in C:UsersPublic.
The script then establishes persistence on the system, gathers and exfiltrates system information to a Telegram bot, takes a screenshot, and ultimately launches the AsyncRAT payload by injecting it into the “aspnet_compiler.exe” executable.
It’s currently not known who is behind the campaign, although Arabic language comments in the JavaScript file allude to their possible origin.
Further analysis of the messages sent to the Telegram bot has revealed screenshots of the attacker’s own desktop named “DEXTERMSI,” featuring the PowerShell script as well as a tool named Luminosity Link RAT. Also present in the Telegram bot is a link to a Telegram channel named “dexterlyly,” suggesting that the threat actor could be from Libya. The channel was created on October 5, 2024.
“The majority of victims are ordinary users, including employees in the following sectors: Oil production, construction, information technology, [and] agriculture,” the researchers said.
“The tools used by Desert Dexter are not particularly sophisticated. However, the combination of Facebook ads with legitimate services and references to the geopolitical situation has led to the infection of numerous devices.”
The development comes as QiAnXin revealed details of a spear-phishing campaign dubbed Operation Sea Elephant that has been found targeting scientific research institutions in China with the goal of delivering a backdoor capable of harvesting sensitive information related to ocean sciences and technologies.
The activity has been attributed to a cluster named UTG-Q-011, which, it said, is a subset within another adversarial collective called CNC group that shares tactical overlaps with Patchwork, a threat actor suspected to be from India.
