Three-quarters of potential victims are residents of Libya, Saudi Arabia, and Egypt

Threat Intelligence specialists at the Positive Technologies Expert Security Center (PT ESC) have identified and analyzed a new malware campaign targeting individuals in the Middle East and North Africa. Active since September 2024, the campaign uses a modified version of AsyncRAT to target victims. To spread the malware, the attackers posed as news outlets on social media, creating promotional posts with links to file-sharing platforms or Telegram channels. The modified malware is designed to steal cryptocurrency wallet data and communicate with a Telegram bot.

The investigation revealed approximately 900 potential victims, most of whom are everyday users. Among those affected are employees working in industries such as oil and gas, construction, IT, and agriculture.

Analysis showed that most victims are located in Libya (49%), Saudi Arabia (17%), Egypt (10%), Turkey (9%), the UAE (7%), Qatar (5%), and other countries.

The group behind the campaign was dubbed Desert Dexter, named after one of the suspected authors. During the investigation, researchers found that the attackers rely on temporary accounts and fake news channels on Facebook¹ to bypass the platform's ad filters. A similar attack was documented by Check Point researchers in 2019, but the campaign described here introduces new techniques to the attack chain.

Denis Kuvshinov, Head of Threat Intelligence, Positive Technologies Expert Security Center, said: "This attack follows a multi-stage process. The victim is lured from a promotional post to a file-sharing service or a Telegram channel operated by the attackers, which imitates a media outlet. From there, the victim receives a RAR archive containing malicious files. These files download and execute AsyncRAT, gather necessary system information, and send it to the attackers' Telegram bot. The AsyncRAT version used in this campaign includes a modified IdSender module that collects information about cryptocurrency wallet extensions, two-factor authentication extensions in various browsers, and software used to manage cryptocurrency wallets."

While Desert Dexter's tools are not particularly sophisticated, their use of social media ads, legitimate services, and the geopolitical context of the region has made the campaign effective. The group posts messages about allegedly leaked confidential information, making the attack chain versatile enough to infect the devices of not only regular users but also high-ranking officials.

Researchers note that ongoing tensions in the Middle East and North Africa have made the region a prime target for cyberattacks aimed at both government institutions and individual users. Political themes remain a common lure in phishing campaigns, with attacks becoming more sophisticated and malware being continuously adapted to meet the needs of different threat actors.