The Middle East and North Africa have become the goal of a new plan that delivers a modified version of a known malware called since September 2024.
” The battle, which leverages social media to distribute malware, is tied to the country’s current political climate”, Positive Technologies experts Klimentiy Galkin and Stanislav Pyzhov in an analysis published last year. ” The attackers number malware in legitimate website file-sharing accounts or Telegram channels set up specifically for this purpose”.
The battle is estimated to have claimed about 900 victims since the fall 2024, the Soviet security company added, indicating its common nature. A majority of the victims are located in Libya, Saudi Arabia, Egypt, Turkey, the United Arab Emirates, Qatar, and Tunisia.
The action, attributed to a danger professional dubbed Desert Dexter, was discovered in February 2025. It mostly involves creating momentary accounts and information channels on Facebook. These balances are then used to post advertisements containing links to a file-sharing support or Telegram route.
The links, in turn, redirect users to a variant of the malware that has been altered to include an online malware, search for 16 different bitcoin wallet extensions and applications, and speak with a Telegram bot.
The shoot network starts with a Zip archive that either includes a sample script or a JavaScript file, which are programmed to operate a PowerShell script that’s responsible for triggering the next stage of the attack.
Specifically, it terminates processes associated with various.NET services that could prevent the malware from starting, deletes files with the extensions BAT, PS1, and VBS from” C: ProgramDataWindows Host” and” C: UsersPublic” folders, and creates a new VBS file in C: ProgramDataWindows Host, and BAT and PS1 files in C: UsersPublic.
The script then establishes persistence on the system, gathers and exfiltrates system information to a Telegram bot, takes a screenshot, and ultimately launches the AsyncRAT payload by injecting it into the “aspnet_compiler. exe” executable.
It’s currently not known who is behind the campaign, although Arabic language comments in the JavaScript file allude to their possible origin.
Further analysis of the messages sent to the Telegram bot has revealed screenshots of the attacker’s own desktop named” DEXTERMS I”, featuring the PowerShell script as well as a tool named . Also present in the Telegram bot is a link to a Telegram channel named “”, suggesting that the threat actor could be from Libya. The channel was created on October 5, 2024.
” The majority of victims are ordinary users, including employees in the following sectors: Oil production, construction, information technology, ]and ] agriculture”, the researchers said.
” The tools used by Desert Dexter are not particularly sophisticated. However, the combination of Facebook ads with legitimate services and references to the geopolitical situation has led to the infection of numerous devices”.
The development comes as QiAnXin details of a spear-phishing campaign dubbed Operation Sea Elephant that has been found targeting scientific research institutions in China with the goal of delivering a backdoor capable of harvesting sensitive information related to ocean sciences and technologies.
The activity has been attributed to a cluster named UTG-Q-011, which, it said, is a subset within another adversarial collective called CNC group that shares tactical overlaps with , a threat actor to be from India.