Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Desert Dexter Targets 900 Victims Using Facebook Ads and Telegram Malware Links

The Hacker News by The Hacker News
March 10, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Mar 10, 2025Ravie LakshmananData Theft / Cryptocurrency

The Middle East and North Africa have become the target of a new campaign that delivers a modified version of a known malware called AsyncRAT since September 2024.

“The campaign, which leverages social media to distribute malware, is tied to the region’s current geopolitical climate,” Positive Technologies researchers Klimentiy Galkin and Stanislav Pyzhov said in an analysis published last week. “The attackers host malware in legitimate online file-sharing accounts or Telegram channels set up specially for this purpose.”

The campaign is estimated to have claimed approximately 900 victims since the fall 2024, the Russian cybersecurity company added, indicating its widespread nature. A majority of the victims are located in Libya, Saudi Arabia, Egypt, Turkey, the United Arab Emirates, Qatar, and Tunisia.

The activity, attributed to a threat actor dubbed Desert Dexter, was discovered in February 2025. It chiefly involves creating temporary accounts and news channels on Facebook. These accounts are then used to publish advertisements containing links to a file-sharing service or Telegram channel.

Cybersecurity

The links, in turn, redirect users to a version of the AsyncRAT malware that has been altered to include an offline keylogger; search for 16 different cryptocurrency wallet extensions and applications; and communicate with a Telegram bot.

The kill chain starts with a RAR archive that either includes a batch script or a JavaScript file, which are programmed to run a PowerShell script that’s responsible for triggering the second stage of the attack.

Specifically, it terminates processes associated with various .NET services that could prevent the malware from starting, deletes files with the extensions BAT, PS1, and VBS from “C:ProgramDataWindowsHost” and “C:UsersPublic” folders, and creates a new VBS file in C:ProgramDataWindowsHost, and BAT and PS1 files in C:UsersPublic.

The script then establishes persistence on the system, gathers and exfiltrates system information to a Telegram bot, takes a screenshot, and ultimately launches the AsyncRAT payload by injecting it into the “aspnet_compiler.exe” executable.

It’s currently not known who is behind the campaign, although Arabic language comments in the JavaScript file allude to their possible origin.

Further analysis of the messages sent to the Telegram bot has revealed screenshots of the attacker’s own desktop named “DEXTERMSI,” featuring the PowerShell script as well as a tool named Luminosity Link RAT. Also present in the Telegram bot is a link to a Telegram channel named “dexterlyly,” suggesting that the threat actor could be from Libya. The channel was created on October 5, 2024.

“The majority of victims are ordinary users, including employees in the following sectors: Oil production, construction, information technology, [and] agriculture,” the researchers said.

Cybersecurity

“The tools used by Desert Dexter are not particularly sophisticated. However, the combination of Facebook ads with legitimate services and references to the geopolitical situation has led to the infection of numerous devices.”

The development comes as QiAnXin revealed details of a spear-phishing campaign dubbed Operation Sea Elephant that has been found targeting scientific research institutions in China with the goal of delivering a backdoor capable of harvesting sensitive information related to ocean sciences and technologies.

The activity has been attributed to a cluster named UTG-Q-011, which, it said, is a subset within another adversarial collective called CNC group that shares tactical overlaps with Patchwork, a threat actor suspected to be from India.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Innovation strategy continues to deliver for Co-op | Computer Weekly

Innovation strategy continues to deliver for Co-op | Computer Weekly

Recommended.

Showroom.fm Launches to Help Retailers Tell the Internet What’s on Display in Their Stores

Showroom.fm Launches to Help Retailers Tell the Internet What’s on Display in Their Stores

December 3, 2025
MicroCloud Hologram Inc. launches research and development plan for Bitcoin quantum-resistant protocol.

MicroCloud Hologram Inc. launches research and development plan for Bitcoin quantum-resistant protocol.

April 23, 2026

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio