State‑Sponsored Espionage Campaign Deploys AsyncRAT Against Libyan Oil Refinery and Critical Infrastructure
What Happened — Between November 2025 and February 2026 a coordinated campaign delivered the publicly‑available AsyncRAT backdoor to a Libyan oil refinery, a telecom operator, and a state agency. The attackers used spear‑phishing emails with Libya‑specific lure documents, a VBS downloader hosted on KrakenFiles, and a PowerShell dropper that created a scheduled task named “devil” to install the RAT.
Why It Matters for TPRM —
- Espionage activity targeting oil production can disrupt supply chains and affect downstream partners.
- Use of publicly‑available tools (AsyncRAT) makes attribution difficult, increasing uncertainty for risk assessments.
- The attack chain exploits common user‑level vectors (phishing, VBS, PowerShell), highlighting gaps in basic hygiene across third‑party environments.
Who Is Affected — Energy & utilities (oil refinery), telecommunications, government agencies in Libya.
Recommended Actions —
- Review any third‑party contracts with Libyan entities for exposure to espionage‑related threats.
- Verify that all vendors enforce strict phishing awareness training and restrict execution of VBS/PowerShell scripts from untrusted sources.
- Conduct a forensic review of scheduled tasks and remote access tools on any systems that interact with the affected organizations.
Technical Notes —
- Initial vector: spear‑phishing email with lure documents (e.g., “Leaked CCTV footage – Saif al‑Gaddafi’s assassination.gz”).
- Downloader: VBS script (video_saif_gadafi_2026.vbs) retrieved from KrakenFiles cloud storage.
- Dropper: PowerShell payload (image.png) that creates a scheduled task “devil” to execute the RAT.
- Payload: AsyncRAT – modular RAT capable of keylogging, screen capture, and command execution.
Source: Broadcom Symantec Blog