Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign

A targeted phishing campaign from November 2025 to February 2026 used Libya-themed lure documents and VBS downloaders to deploy a PowerShell dropper and the publicly available AsyncRAT backdoor against Libyan organizations (notably an oil refinery, a telecom, and a state institution). The dropper created a scheduled task named 'devil' and fetched AsyncRAT; the report includes multiple file hashes and emphasizes the risk to energy-sector infrastructure amid regional instability.