Libyan oil refinery targeted in months-long espionage campaign that used AsyncRAT and political lures
4 min. read 
Published on
A Libyan oil refinery, a telecoms organization, and a state institution were targeted in a likely espionage campaign that ran from November 2025 to mid-February 2026, according to Symantec researchers at Broadcom. The attackers used AsyncRAT, a widely available remote access trojan, along with Libya-themed phishing lures tied to current political events. Broadcom says the choice of targets and the sustained access suggest the activity may have been state-sponsored, though it did not attribute the campaign to a specific group.
The refinery angle stands out because Libya’s oil output averaged about 1.37 million barrels per day in 2025, its highest level in more than a decade, making the sector especially sensitive at a time of regional tension and energy market volatility. Broadcom explicitly noted that while the intrusions predated the latest Gulf crisis, disruption in the Middle East could increase pressure on oil producers elsewhere.
What Symantec found
Broadcom’s write-up says investigators found lure documents on compromised networks that referenced Libyan current affairs. One filename cited publicly was “Leaked CCTV footage – Saif al-Gaddafi’s assassination.gz,” which shows the attackers were using local political interest to improve click rates and make the phishing emails more convincing.
The researchers also said the oil company appeared to have been compromised for an extended period. BankInfoSecurity, citing Symantec and Carbon Black, reported that the attackers maintained long-term access to at least one oil company network from November 2025 through mid-February 2026. Files later uploaded to VirusTotal suggest the broader activity may have started as early as April 2025.
How the infection chain worked
The campaign appears to have started with spear-phishing. Broadcom’s report and secondary reporting describe a VBS downloader with a Libya-themed filename, including one example called video_saif_gadafi_2026.vbs. That script pulled additional payloads from KrakenFiles, a file-hosting platform, which helped the attackers stage the infection in multiple steps instead of dropping the final malware immediately.
From there, the VBS downloader retrieved a PowerShell dropper disguised as image.png. Researchers say that component created a scheduled task named devil using an XML file stored at C:\Users\Public\Music\Googless.xml, then deleted the task after execution to reduce visible traces. The final payload was AsyncRAT, which gave the attackers remote command execution, keylogging, and screenshot capture.
Why AsyncRAT remains attractive to attackers
AsyncRAT is open source and easy to customize, which makes it useful to both criminal groups and state-linked operators. Because it is widely available and not exclusive to one threat actor, defenders often struggle to attribute campaigns that use it. In this case, Broadcom stopped short of naming a responsible group and instead said the targeting pattern pointed to likely espionage.
That is also why this incident matters beyond Libya. Commodity malware does not always mean low-end tradecraft. A patient attacker can still use a public RAT effectively when the targeting is careful, the lure is relevant, and the persistence is quiet. This campaign appears to fit that model.
Key campaign details
| Item | Details |
|---|---|
| Targets | Libyan oil refinery, telecoms organization, state institution |
| Activity window | November 2025 to mid-February 2026 |
| Suspected motive | Espionage |
| Initial lure style | Libya-themed spear-phishing tied to current events |
| Early-stage malware | VBS downloader |
| Staging host | KrakenFiles |
| Persistence method | Scheduled task named devil using Googless.xml |
| Final payload | AsyncRAT |
Sources: Broadcom Symantec and follow-up reporting.
What defenders should watch for
Security teams in energy, telecoms, and government should treat topical local-news lures as a serious risk, especially when they reference political violence, leaked footage, or controversial public figures. This campaign shows that the social-engineering layer was not generic spam. It was localized and tailored.
Defenders should also look for unusual VBS execution, PowerShell launched from odd paths, scheduled task creation tied to XML files in public directories, and outbound traffic that follows scripted staging behavior. Those patterns match the infection chain Broadcom and follow-up reporting described.
FAQ
Broadcom said the victims included a Libyan oil refinery, a telecoms organization, and a state institution.
No. Broadcom said the activity may have been state-sponsored, but it did not name a specific actor.
The final payload was AsyncRAT, a public remote access trojan that supports remote commands, keylogging, and screenshot capture.
Researchers said the campaign likely began with spear-phishing that delivered a VBS downloader using Libya-themed filenames and lures tied to current events.
Libya’s oil output reached about 1.37 million barrels per day in 2025, its highest in more than a decade, which makes the sector strategically important.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages