Between November 2025 and February 2026, targeted spear-phishing campaigns delivered a VBS downloader and PowerShell droppers that ultimately installed the AsyncRAT backdoor on Libyan organizations including an oil refinery, a telecoms provider and a state institution. The campaign used Libya-themed lure filenames and a KrakenFiles-hosted downloader to persist via a scheduled task named ‘devil’, suggesting focused targeting that could be state sponsored. #AsyncRAT #LibyanOilRefinery
Keypoints
- Multiple Libyan organizations (an oil refinery, a telecoms organization, and a state institution) were compromised between November 2025 and mid-February 2026.
- Initial access was likely achieved via spear-phishing using Libya-themed lure documents and VBS files (e.g., video_saif_gaddafi_2026.vbs).
- A VBS downloader fetched a PowerShell dropper from a KrakenFiles URL, which in turn created a scheduled task named “devil” to execute the payloads.
- The final payload deployed was AsyncRAT, a publicly available RAT with keylogging, screen capture, and remote command execution capabilities.
- Artifacts on VirusTotal suggest the campaign may have begun as early as April 2025 with many Libya-themed filenames, indicating sustained and focused targeting.
- The targeting of energy sector infrastructure amid regional instability highlights risk to oil producers and the use of topical events as phishing lures.
MITRE Techniques
- [T1566.002 ] Spearphishing Attachment – Initial access via lure documents with Libya-themed names (‘lure documents on compromised networks that leverage interest in Libyan current affairs, with one lure document having the title “Leaked CCTV footage – Saif al-Gaddafi’s assassination.gz”‘)
- [T1059.005 ] Command and Scripting Interpreter: Visual Basic – Use of VBS downloader files to fetch additional payloads (‘VBS downloader, … video_saif_gadafi_2026.vbs’)
- [T1105 ] Ingress Tool Transfer – Downloading components from a cloud file host to victim systems (‘https://hs8.krakenfiles[.]com/uploads/15-02-2026/JCaF7rrPQm/image.png’)
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – Use of a PowerShell dropper (Filename: image.png) to install persistence and payloads (‘This downloads a PowerShell dropper (Filename: image.png).’)
- [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence via a scheduled task named “devil” created and run by the dropper (‘The PowerShell dropper creates the following scheduled task named ‘devil’ … “schtasks.exe” /Create /XML C:UsersPublicMusic/Googless.xml /TN devil’)
- [T1219 ] Remote Access Software – Deployment of AsyncRAT as the final remote access payload (‘The dropper also downloads the AsyncRAT backdoor, which is the final payload.’)
- [T1056.001 ] Input Capture: Keylogging – AsyncRAT used for keylogging capability (‘AsyncRAT is a remote access Trojan with a variety of capabilities, including keylogging, screen capture, and remote command execution capabilities’)
- [T1113 ] Screen Capture – AsyncRAT used to capture screens on infected hosts (‘AsyncRAT is a remote access Trojan with a variety of capabilities, including keylogging, screen capture, and remote command execution capabilities’)
Indicators of Compromise
- [File Hashes ] Hashes of droppers and AsyncRAT samples observed – 12c65ac4e02313ed1aa2d32d56428f0a135b281604d536e5ae6ca08b6b4232c9 (AsyncRAT), 39eade26c5680d20f5a8032a0d3996a29058e52c147e4b49a2072d2dcb353325 (VBS downloader – video_saif_gaddafi_2026.vbs), and 26 more hashes.
- [File Names ] Lure documents and droppers used in phishing and delivery – video_saif_gadafi_2026.vbs, image.png (PowerShell dropper), and other Libya-themed VBS/PS1 files.
- [Domains/URLs ] Hosting location for downloader and payloads – https://hs8.krakenfiles[.]com/uploads/15-02-2026/JCaF7rrPQm/image.png, hs8.krakenfiles[.]com (KrakenFiles-hosted downloads).
- [Scheduled Task Name ] Persistence artifact created on infected hosts – scheduled task ‘devil’ created via schtasks.exe (C:UsersPublicMusic/Googless.xml /TN devil).
Read more: https://www.security.com/threat-intelligence/asyncrat-libya-oil-cyberattack