Libyan Infrastructure Under Cyber Attack
From November 2025 to February 2026, a Libyan oil refinery, along with a telecom company and a state agency, became targets of a sophisticated espionage campaign. The campaign involved the deployment of AsyncRAT, a notorious remote access Trojan often utilized by state-backed threat groups. This incident has amplified concerns regarding the security of Libya’s vital infrastructure.
AsyncRAT has gained popularity among both cybercriminals and state actors due to its open-source nature, offering extensive surveillance capabilities. It allows attackers to log keystrokes, capture screenshots, and execute remote commands, making it an effective tool for prolonged intelligence-gathering missions. Its open availability makes it challenging to trace back to a specific perpetrator.
Uncovering the Espionage Campaign
Experts from Symantec uncovered the espionage campaign after analyzing compromised networks. They found evidence in the form of lure documents linked to significant Libyan political events. One such document, titled “Leaked CCTV footage – Saif al-Gaddafi’s assassination.gz,” exploited the assassination of Saif al-Gaddafi on February 3, 2026, to attract attention. The targeted nature of these documents indicates a deliberate focus on Libyan entities.
Libya’s energy sector, producing 1.37 million barrels of oil daily, has drawn increased attention due to regional tensions and fluctuating oil prices. Targeting a Libyan refinery holds substantial geopolitical implications, especially amid ongoing conflicts in the Gulf region. The Strait of Hormuz, a vital global oil supply route, has already disrupted energy markets, highlighting the strategic significance of Libya’s oil production.
Persistent and Targeted Cyber Threats
Investigations suggest that the espionage campaign might have commenced as early as April 2025. Files uploaded to VirusTotal with Libya-centric names imply a prolonged and focused effort. The threat actors maintained persistent network access at the targeted oil company from November 2025 to mid-February 2026, indicating a clear intent for sustained intelligence collection.
The attack began with spear-phishing emails containing locally themed lure documents. A VBS downloader, with politically charged filenames like video_saif_gadafi_2026.vbs, was found on compromised systems. This file was retrieved from the KrakenFiles platform, marking the beginning of a meticulously planned multi-stage attack.
Strengthening Defense Against Cyber Espionage
Organizations in the energy sector, along with government and telecommunications entities, must bolster defenses against spear-phishing by educating staff about politically themed lure tactics. Monitoring for unusual scheduled task creation, especially those linked to public directories, is crucial. Restricting the execution of VBS and other scripting files from untrusted sources and limiting PowerShell usage to authorized processes can prevent similar multi-stage attacks.
Deploying endpoint detection tools to identify AsyncRAT’s behavior, such as unauthorized keylogging and command-and-control activities, is vital for organizations in high-risk sectors. Enhancing these security measures can mitigate the risks posed by advanced espionage campaigns seeking to exploit vulnerabilities in critical infrastructure.
