Desert Dexter.Attacks on Middle Eastern Countries

March 11, 2025, 4:53 p.m.

Description

A malicious campaign targeting residents of Middle East and North Africa has been discovered, active since September 2024. The attackers create fake news groups on social media and publish posts with links to file-sharing services or Telegram channels containing modified AsyncRAT malware. The malware is designed to search for crypto wallets and interact with a Telegram bot. The most targeted countries include Egypt, Libya, UAE, Russia, Saudi Arabia, and Turkey. The attack chain involves multiple stages, including the use of PowerShell scripts and a reflective loader written in C#. The AsyncRAT modification includes an offline keylogger and collects information about crypto wallet extensions and software. The campaign has affected approximately 900 victims from various countries, including employees of companies in oil extraction, construction, IT, and agriculture sectors.

External References

https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/desert-dexter-ataki-na-strany-blizhnego-vostoka/
https://otx.alienvault.com/pulse/67d067e5a536ae07f1382810
Tags
powershell
asyncrat
2025-03-11
crypto wallets

Date

  • Created: March 11, 2025, 4:42 p.m.
  • Published: March 11, 2025, 4:42 p.m.
  • Modified: March 11, 2025, 4:53 p.m.

Indicators

  • df07b378a833528cca8012ec0bd65f06372ccf23262b9930c246d8758cef342a
  • 1d9a6edc55a547b9e522b3dd7f40aebc3f1c4761070294cc56e328800569fc45
Download all indicators here!

Attack Patterns

  • Desert Dexter

Additional Informations

  • Agriculture
  • Construction
  • Technology
  • Energy
  • Libya
  • Egypt
  • Saudi Arabia
  • Russian Federation