Cybersecurity researchers at Positive Technologies have uncovered a malicious campaign dubbed “Desert Dexter” that has infected approximately 900 victims across multiple countries, primarily in the Middle East and North Africa.
The campaign, which began in September 2024, leverages social media platforms and geopolitical tensions to distribute a modified version of the AsyncRAT malware.
Malware Distribution and Infection Chain
The threat actors behind Desert Dexter create temporary accounts and news channels on Facebook, posing as legitimate media outlets.
They publish advertisements containing links to file-sharing services or Telegram channels, which lead unsuspecting users to download malicious RAR archives.
The infection chain begins when victims open JavaScript or BAT files within these archives.
According to Cybersecurity researchers at Positive Technologies, these scripts trigger a series of events, including the execution of PowerShell commands that establish persistence, gather system information, and deploy the final payload a modified version of AsyncRAT.
The AsyncRAT variant used in this campaign includes several notable features.
It incorporates a custom reflective loader written in C# to inject the malware into legitimate Windows processes.
Additionally, it employs an offline keylogger and checks for the presence of cryptocurrency wallet extensions and applications.
Geopolitical Context and Victim Profile
Desert Dexter’s campaign exploits the volatile political climate in the Middle East and North Africa to lure victims.
The malicious advertisements often claim to contain leaked confidential data or sensitive political information, enticing users to click on the malicious links.
According to the Report, While the majority of victims appear to be ordinary users, researchers noted that employees in various sectors, including oil production, construction, information technology, and agriculture, have also been targeted.
The widespread nature of the infections highlights the effectiveness of combining social engineering tactics with geopolitical themes.
Despite using relatively unsophisticated tools, the threat actors have managed to compromise a significant number of devices across multiple countries.
As the campaign continues to evolve, cybersecurity experts urge users to exercise caution when encountering suspicious links or attachments, especially those purporting to contain sensitive political information.
Organizations in the affected regions should remain vigilant and implement robust security measures to protect against this and similar threats.
