The Middle East and North Africa have been the goal of a new company that provides a modified version of well -known malware called Assembly Since September 2024.
“The company that uses social media to distribute malware is related to the current geopolitical climate of the region,” positive researchers – Note in an analysis published last week. “The attackers accept malicious software in legal accounts in online files or telegrams created specifically for this purpose.”
The company estimates that since the fall of 2024 approximately 900 victims, the Russian cybersecurity company added, which testifies to its broad nature. Most of the victims are located in Libya, Saudi Arabia, Egypt, Turkey, the United Arab Emirates, Qatar and Tunisia.
Activities attributed to the actor threatened named Deserted desksterIt was discovered in February 2025. Basically, this involves the creation of temporary accounts and news channels on Facebook. Then these credentials are used to publish advertisements containing file sharing links or telegram.
References, in turn, redirect users to version Assembly malicious software that has been changed to include in the offline; Look for 16 different extensions and applications for cryptocurrencies; and chat with Bot Telegram.
The murder network begins with the RAR archive, which includes a package scenario or a JavaScript file, which is programmed to launch the PowerShell script, which is responsible for calling the second stage of the attack.
In particular, it stops the processes related to the different .NET services, which may interfere with the launch of malware, delete files with Bat, PS1 and VBS with “C: \ Programdata \ WindowsShost” and “C: \ users \ Public” and create a new VBS file in C: Bats in Files C: \ Users.
Then the script sets stability in the system, collects information about the system in the telegram, removes the screenshot and ultimately launches the useful load of Asyncrat, introducing it into the executable file “Aspnet_compiler.exe”.
It is currently unknown who is behind the company, though Arabic comments on JavaScript, hinting at their possible origin.
Further analysis of messages sent to Telegram Bot showed screenshots of the attacker’s own desktop named “Dextermsi”, which presents the PowerShell scenario as well as the tool named Link of the luminosity of the rat. Also in Telegram Bot – this is a link to the Telegram Channel called “mute“Assuming the threat actor may be from Libya. The channel was created on October 5, 2024.
“Most victims are ordinary users, including employees in the following sectors: oil production, construction, information technology, (and) agriculture,” the researchers said.
“The tools used by Desert Dexter are not particularly difficult. However, the combination of ads on Facebook with legal services and links to the geopolitical situation has led to infection with many devices.”
Development occurs as Qianxin disclosed Detailed information about the phishchina company, dubbed the “marine elephant”, which was found, focused on scientific research institutions in China to provide the back, capable of collecting confidential information related to the oceical sciences and technology.
Activities was associated with a cluster called UTG-Q-011, which he said OvenActor threatening suspect be from India.
