Full Report
The Middle East and North Africa have become the target of a new campaign that delivers a modified version of a known malware called AsyncRAT since September 2024. "The campaign, which leverages social media to distribute malware, is tied to the region's current geopolitical climate," Positive Technologies researchers Klimentiy Galkin and Stanislav Pyzhov said in an analysis published last week.
Analysis Summary
# Threat Actor: Desert Dexter
## Attribution & Identity
Attributed to a threat actor dubbed **Desert Dexter**. Attribution is currently unknown, but Arabic language comments and a Telegram channel named "dexterlyly" (created October 5, 2024) suggest a possible origin from Libya.
## Activity Summary
Began activity around September 2024, discovered in February 2025. This campaign targets data theft and cryptocurrency information, leveraging the region's current geopolitical climate. The campaign has infected an estimated 900 victims since the fall of 2024, using social media to distribute malware.
## Tactics, Techniques & Procedures
- **Initial Access:** Leverages social media (specifically Facebook advertisements on temporary accounts/news channels) to distribute links to legitimate file-sharing services or Telegram channels.
- **Execution Chain:** Kill chain starts with a RAR archive containing either a batch script or a JavaScript file. This executes a PowerShell script for the second stage.
- **Defense Evasion/Persistence:** The PowerShell script terminates processes associated with various .NET services; deletes files with extensions BAT, PS1, and VBS from specific public/program data folders; and establishes persistence by creating new VBS, BAT, and PS1 files in new locations.
- **Exfiltration/Action on Objectives:** Gathers and exfiltrates system information to a Telegram bot, takes screenshots, searches for 16 cryptocurrency wallet extensions/applications, and includes an offline keylogger functionality.
- **Payload Delivery:** Injects the final AsyncRAT payload into the "aspnet\_compiler.exe" executable.
## Targeting
- **Sectors:** Oil production, construction, information technology, and agriculture.
- **Geography:** Middle East and North Africa (MENA), with a majority of victims located in Libya, Saudi Arabia, Egypt, Turkey, the United Arab Emirates, Qatar, and Tunisia.
- **Victims:** Primarily ordinary users.
## Tools & Infrastructure
- **Malware Families Used:** Modified version of **AsyncRAT** (Remote Access Trojan) that includes custom functionalities (offline keylogger, cryptocurrency search, Telegram bot communication). **Luminosity Link RAT** was also observed on the attacker's desktop screenshot.
- **Infrastructure:**
- Malware hosted on legitimate online file-sharing accounts or specially set up Telegram channels.
- Command and control appears to utilize a **Telegram bot** for exfiltration.
- A specific Telegram channel observed: `t[dot]me/dexterlyly`
## Implications
Desert Dexter runs a widespread, geographically focused campaign leveraging social engineering that references current geopolitical events to trick ordinary users. While the tools used are not overly sophisticated, the effective combination of Facebook advertising, legitimate file hosting, and localized lures has resulted in significant victim counts across critical economic sectors in the MENA region, focusing specifically on stealing data and cryptocurrency access.
## Mitigations
- Users should be extremely cautious about links shared via social media, especially those referencing current sensitive geopolitical topics.
- Monitor for process terminations related to .NET services, as well as the creation of VBS, BAT, and PS1 files in `C:\ProgramData\WindowsHost` and `C:\Users\Public`.
- Monitor network activity communicating with Telegram bots for suspicious data exfiltration.
- Implement application control to prevent unauthorized injection into legitimate executables like `aspnet_compiler.exe`.
- Deploy endpoint detection and response capable of identifying AsyncRAT and Luminosity Link RAT behavior.