State‑Linked Espionage Campaign Uses AsyncRAT to Infiltrate Libyan Oil Refinery
What Happened — A multi‑month cyber‑espionage operation leveraged spear‑phishing emails with Libya‑focused political lures to deliver a VBS downloader, PowerShell dropper and the open‑source AsyncRAT RAT. The campaign, active from November 2025 to February 2026, achieved persistent access to at least one oil‑refinery network in Libya.
Why It Matters for TPRM —
- Critical‑infrastructure operators are prime targets for state‑aligned actors; compromise can affect supply‑chain stability.
- Long‑term RAT footholds evade traditional detection, increasing risk of credential theft and data exfiltration.
- Phishing lures tied to regional events demonstrate the need for contextual threat‑intel integration in vendor risk programs.
Who Is Affected — Energy & Utilities (oil & gas), especially third‑party service providers supporting refinery operations.
Recommended Actions —
- Conduct a phishing‑simulation and awareness program for all refinery personnel and third‑party contractors.
- Deploy endpoint detection and response (EDR) capable of detecting AsyncRAT behaviors.
- Enforce MFA and least‑privilege access for privileged accounts.
- Review and harden email gateway filters for VBS/PowerShell payloads.
Technical Notes — Attack vector: spear‑phishing → VBS downloader → PowerShell dropper → scheduled‑task persistence → AsyncRAT deployment. No specific CVE cited; AsyncRAT is a .NET RAT originally released on GitHub (2019). Collected data may include credentials, keystrokes, screenshots, and command‑execution logs. Source: DataBreachToday