Ethical Hacking News
The rise of a new cyber threat actor, Desert Dexter, has been making headlines recently. Leveraging social media platforms and malware, this group is targeting victims in the Middle East and North Africa, with approximately 900 victims claimed so far. In this article, we will explore the tactics used by Desert Dexter and examine the implications of their campaign on its victims and the broader cybersecurity landscape.
Researchers from Positive Technologies identified a new threat actor called "Desert Dexter" targeting victims in the Middle East and North Africa since September 2024.The campaign is believed to have infected approximately 900 devices, primarily in Libya, Saudi Arabia, Egypt, Turkey, and other countries in the region.Desert Dexter uses social media platforms to distribute malware, including a modified version of AsyncRAT, often through legitimate online file-sharing accounts or Telegram channels.The attackers create temporary Facebook ads with links to file-sharing services or Telegram channels, which redirect users to malware-infected files.The malware includes an offline keylogger and searches for cryptocurrency wallet extensions; it also communicates with a Telegram bot.The kill chain involves multiple stages, including a RAR archive that triggers the attack, a PowerShell script that establishes persistence, and the launch of the AsyncRAT payload.
In a recent analysis published by Positive Technologies, researchers Klimentiy Galkin and Stanislav Pyzhov have identified a new campaign that has been targeting victims in the Middle East and North Africa since September 2024. Dubbed "Desert Dexter," this threat actor is utilizing social media platforms to distribute malware, specifically a modified version of the AsyncRAT malware. The campaign is estimated to have claimed approximately 900 victims, with a majority located in Libya, Saudi Arabia, Egypt, Turkey, the United Arab Emirates, Qatar, and Tunisia.
The activity was discovered in February 2025, and researchers have attributed the campaign to the threat actor's use of legitimate online file-sharing accounts or Telegram channels set up specially for this purpose. The attackers create temporary accounts and news channels on Facebook, which are then used to publish advertisements containing links to a file-sharing service or Telegram channel.
Upon clicking on these links, users are redirected to a version of the AsyncRAT malware that has been altered to include an offline keylogger; search for 16 different cryptocurrency wallet extensions and applications; and communicate with a Telegram bot. The kill chain starts with a RAR archive that either includes a batch script or a JavaScript file, which are programmed to run a PowerShell script responsible for triggering the second stage of the attack.
Specifically, the script terminates processes associated with various .NET services that could prevent the malware from starting, deletes files with the extensions BAT, PS1, and VBS from "C:\ProgramData\WindowsHost" and "C:\Users\Public" folders, and creates a new VBS file in C:\ProgramData\WindowsHost, and BAT and PS1 files in C:\Users\Public. The script then establishes persistence on the system, gathers and exfiltrates system information to a Telegram bot, takes a screenshot, and ultimately launches the AsyncRAT payload by injecting it into the "aspnet_compiler.exe" executable.
Further analysis of the messages sent to the Telegram bot has revealed screenshots of the attacker's own desktop named "DEXTERMSI," featuring the PowerShell script as well as a tool named Luminosity Link RAT. Also present in the Telegram bot is a link to a Telegram channel named "dexterlyly," suggesting that the threat actor could be from Libya. The channel was created on October 5, 2024.
The majority of victims are ordinary users, including employees in the following sectors: Oil production, construction, information technology, and agriculture. The researchers have noted that the tools used by Desert Dexter are not particularly sophisticated, but the combination of Facebook ads with legitimate services and references to the geopolitical situation has led to the infection of numerous devices.
The development comes as another spear-phishing campaign dubbed Operation Sea Elephant has been found targeting scientific research institutions in China with the goal of delivering a backdoor capable of harvesting sensitive information related to ocean sciences and technologies. The activity has been attributed to a cluster named UTG-Q-011, which is a subset within another adversarial collective called CNC group that shares tactical overlaps with Patchwork, a threat actor suspected to be from India.
In this article, we will delve deeper into the world of cyber threats and explore the tactics used by Desert Dexter in their campaign. We will examine the malware used, the methods employed to distribute it, and the impact on its victims. Additionally, we will discuss the geopolitical implications of the attack and how it relates to the current situation in the Middle East and North Africa.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Desert-Dexter-A-Global-Cyber-Threat-Actor-Leveraging-Social-Media-and-Malware-ehn.shtml
https://thehackernews.com/2025/03/desert-dexter-targets-900-victims-using.html
https://cybersecuritynews.com/new-malware-attacked-desert-dexter/
Published: Mon Mar 10 10:04:29 2025 by llama3.2 3B Q4_K_M
