Desert Dexter Exploits Facebook Ads and Telegram Links to Infect 900 Victims

Since September 2024, a new cyber campaign has been targeting the Middle East and North Africa, deploying a modified variant of the AsyncRAT malware.

“The campaign exploits social media to spread malware and is linked to the region’s current geopolitical climate,” noted Positive Technologies researchers Klimentiy Galkin and Stanislav Pyzhov in an analysis published last week. “Attackers host the malware on legitimate file-sharing platforms or specially created Telegram channels.”

This operation has reportedly affected around 900 victims since fall 2024, highlighting its broad impact. Most of the targeted individuals are located in Libya, Saudi Arabia, Egypt, Turkey, the United Arab Emirates, Qatar, and Tunisia.

The campaign, attributed to a threat actor known as Desert Dexter, was uncovered in February 2025. It primarily involves setting up temporary Facebook accounts and news channels to post advertisements containing links to file-sharing services or Telegram channels.

Clicking on these links leads users to a modified version of AsyncRAT, which incorporates an offline keylogger, scans for 16 different cryptocurrency wallet extensions and applications, and communicates with a Telegram bot.

The attack begins with a RAR archive containing either a batch script or a JavaScript file. These scripts execute a PowerShell command that initiates the second stage of the infection.

At this stage, the malware terminates .NET-related processes that could interfere with its execution, deletes BAT, PS1, and VBS files from specific system directories, and creates new malicious scripts in “C:\ProgramData\WindowsHost” and “C:\Users\Public.”

The script then ensures persistence, gathers system data, exfiltrates it via a Telegram bot, captures a screenshot, and ultimately injects the AsyncRAT payload into the “aspnet_compiler.exe” process.

The identity of the threat actor behind the campaign remains unknown, though Arabic-language comments in the JavaScript file hint at their possible origins.

Further investigation into the messages sent to the Telegram bot uncovered screenshots of the attacker’s own desktop, labeled “DEXTERMSI.” The images reveal the presence of the PowerShell script alongside a tool known as Luminosity Link RAT. Additionally, a link to a Telegram channel named “dexterlyly” was found within the bot, suggesting a potential Libyan connection. This channel was created on October 5, 2024.

“The majority of victims are everyday users, including employees in sectors such as oil production, construction, information technology, and agriculture,” the researchers noted.

While Desert Dexter’s tools are not particularly advanced, the strategic use of Facebook ads combined with legitimate services and references to ongoing geopolitical tensions has enabled widespread infections.

This development coincides with QiAnXin’s disclosure of a spear-phishing operation called Operation Sea Elephant, which has been targeting scientific research institutions in China. The campaign aims to deploy a backdoor designed to steal sensitive information related to ocean sciences and technology.

The attack has been linked to a group identified as UTG-Q-011, which is believed to be a subset of a broader adversary known as the CNC group. The CNC group shares tactical similarities with Patchwork, a threat actor suspected to originate from India.