Cybercriminals have launched a new malware campaign in the Middle East and North Africa, infecting hundreds of individuals who clicked on politically charged Facebook ads. This cyberattack mirrors past operations, using deceptive tactics to spread malicious software.
Six years ago, a hacker known as “Dexter Ly” led a large-scale malware campaign that targeted thousands of Libyan users with remote access Trojans (RATs). The attacker impersonated political and military figures on Facebook, creating news-related posts with malicious links to trick victims into downloading malware.
Now, researchers believe an entity linked to Dexter has resurfaced, expanding its reach beyond Libya to the broader Middle East and North Africa.
“This campaign represents an evolution of social engineering tactics targeting regions with growing digital adoption and cryptocurrency usage,” says J. Stephen Kowski, field CTO at SlashNext Email Security. “Threat actors recognize the region’s strategic importance and potentially weaker security awareness.”
How the Malware Spreads
Since September 2024, attackers have been operating malicious news-focused Facebook accounts. Leveraging the emotionally charged nature of political content, they publish inflammatory posts and run targeted advertisements to attract engagement.
For example, one such advertisement reads:
Urgent | A leaked report from Israeli intelligence reveals a secret meeting between an Emirati official “Tahna Bin Zayed” and a Syrian official “Maher Al-Assad,” detailing plans for Israeli aircraft to enter Syria with Emirati support.
These posts contain links directing users to the file-sharing platform Files.fm or Telegram channels, where attackers masquerade as legitimate news organizations such as The Libya Observer, Alhurra TV, and The Times of Israel.
Once victims click the links, they are prompted to download a Roshal archive (RAR) compressed file. If executed, the file installs a modified version of AsyncRAT, a remote access Trojan equipped with:
- Offline-enabled keylogging capabilities
- Credential theft targeting cryptocurrency wallets (including Coinbase, MetaMask, Binance, and Ledger Live)
Scope of the Attack
Researchers from Positive Technologies estimate that around 900 individuals have been compromised in this campaign. Approximately half of the victims are Libyan, while others are scattered across North Africa and the Asian subcontinent. While most victims are ordinary citizens, some are employees in critical industries, including agriculture, construction, IT, and oil production.
For years, Facebook has struggled with malicious advertising campaigns that harvest user data, spread disinformation, and distribute malware. Despite Meta’s transparency tools, which claim to monitor and regulate political advertisements in over 220 countries, the platform appears to have failed in detecting and removing this malicious operation.
Dark Reading reached out to Meta for clarification on the enforcement of its policies, but no response has been provided as of publication.
“Social platforms face immense challenges in balancing content moderation while cybercriminals continuously refine their tactics to evade detection,” Kowski explains. “The persistence of this campaign highlights a gap between policy and enforcement that sophisticated attackers are exploiting.”
The Takeaway
This incident underscores the urgent need for improved security awareness, particularly in regions experiencing rapid digital adoption. As cybercriminals refine their social engineering tactics, platforms like Facebook must bolster their enforcement efforts to prevent large-scale cyberattacks.