Libyan state institution and Libyan oil refinery: Libyan Oil Refinery Hit in Long-Running Espionage Campaign Using AsyncRAT

Cyber Espionage Campaign Targets Libyan Critical Infrastructure with AsyncRAT

Between November 2025 and February 2026, a coordinated cyber espionage campaign compromised a Libyan oil refinery, a telecommunications organization, and a state institution. The attacks deployed AsyncRAT, an open-source remote access Trojan (RAT) favored by both cybercriminals and state-sponsored threat actors for its modular surveillance capabilities, including keystroke logging, screenshot capture, and remote command execution.

Researchers at Symantec uncovered the campaign after analyzing compromised networks, where they found lure documents exploiting Libyan political events. One file, titled “Leaked CCTV footage – Saif al-Gaddafi’s assassination.gz,” capitalized on the February 3, 2026, killing of Saif al-Gaddafi, son of former Libyan leader Muammar Gaddafi. The targeted nature of these lures indicated a deliberate focus on Libyan entities.

Libya’s energy sector has gained strategic importance, with the country producing 1.37 million barrels of oil per day in 2025 its highest output in over a decade. Amid regional tensions, including clashes in the Strait of Hormuz, the attack on a Libyan refinery carried significant geopolitical implications. Evidence on VirusTotal suggests the campaign may have begun as early as April 2025, with persistent access to the oil company’s network maintained from November 2025 to mid-February 2026.

The multi-stage infection chain began with spear-phishing emails containing politically themed documents. A VBS downloader (e.g., video_saif_gadafi_2026.vbs), hosted on KrakenFiles, initiated the compromise. Upon execution, it fetched a PowerShell dropper disguised as image.png, which created a Windows scheduled task named “devil” from an XML file (Googless.xml) in a public directory. The task was later deleted to evade detection.

AsyncRAT, the final payload, provided attackers with full remote control, enabling intelligence collection while allowing silent updates to its capabilities. The campaign’s sophistication combining social engineering, multi-stage delivery, and stealth persistence highlighted its focus on long-term espionage rather than immediate disruption. The use of AsyncRAT, a publicly available tool, further complicated attribution efforts.

Source: https://cybersecuritynews.com/libyan-oil-refinery-hit-in-long-running-espionage/

Libyan National Oil Corporation - Houston cybersecurity rating report: https://www.rankiteo.com/company/libyan-national-oil-corporation-houston-branch

The Libyan International Telecom Company cybersecurity rating report: https://www.rankiteo.com/company/the-libyan-international-telecom-company

"id": "LIBTHE1774312324",
"linkid": "libyan-national-oil-corporation-houston-branch, the-libyan-international-telecom-company",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"

{'affected_entities': [{'industry': 'Energy/Oil & Gas',
                        'location': 'Libya',
                        'name': 'Libyan oil refinery',
                        'type': 'Oil Refining Company'},
                       {'industry': 'Telecommunications',
                        'location': 'Libya',
                        'name': 'Libyan telecommunications organization',
                        'type': 'Telecommunications Company'},
                       {'industry': 'Government',
                        'location': 'Libya',
                        'name': 'Libyan state institution',
                        'type': 'Government Institution'}],
 'attack_vector': 'Spear-phishing emails',
 'data_breach': {'data_exfiltration': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Surveillance data (keystrokes, '
                                             'screenshots), intelligence data'},
 'date_detected': '2026-02',
 'description': 'Between November 2025 and February 2026, a coordinated cyber '
                'espionage campaign compromised a Libyan oil refinery, a '
                'telecommunications organization, and a state institution. The '
                'attacks deployed AsyncRAT, an open-source remote access '
                'Trojan (RAT) used for modular surveillance capabilities, '
                'including keystroke logging, screenshot capture, and remote '
                'command execution. The campaign exploited Libyan political '
                "events using lure documents, such as a file titled 'Leaked "
                "CCTV footage – Saif al-Gaddafi’s assassination.gz.'",
 'impact': {'data_compromised': 'Intelligence data, surveillance data '
                                '(keystrokes, screenshots)',
            'operational_impact': 'Long-term espionage, potential geopolitical '
                                  'disruption',
            'systems_affected': 'Oil refinery, telecommunications, state '
                                'institution networks'},
 'investigation_status': 'Ongoing',
 'motivation': 'Espionage, Intelligence Collection',
 'post_incident_analysis': {'root_causes': 'Spear-phishing, lure documents '
                                           'exploiting political events, '
                                           'multi-stage infection chain (VBS '
                                           'downloader, PowerShell dropper, '
                                           'scheduled tasks)'},
 'references': [{'source': 'Symantec'}, {'source': 'VirusTotal'}],
 'response': {'third_party_assistance': 'Symantec'},
 'title': 'Cyber Espionage Campaign Targets Libyan Critical Infrastructure '
          'with AsyncRAT',
 'type': 'Cyber Espionage'}