Multi-Month Cyberespionage Campaign Hits Libyan Oil Refinery

Phishing Campaign Used AsyncRAT to Maintain Long-Term Network Access Pooja Tikekar (@PoojaTikekar) • March 20, 2026

A suspected cyberespionage campaign targeted a Libyan oil refinery using commodity malware and politically themed phishing lures.

See Also: Securing Microsoft 365: A Live Breakdown of Modern Attack Paths

Threat researchers at Symantec and Carbon Black said the activity ran from November 2025 to mid-February, with evidence that attackers maintained long-term access to at least one oil company network. The intrusions involved the use of a widely available .NET-based remote access Trojan AsyncRAT.

Although the attacks occurred before the onset of the U.S. and Israeli bombing campaign against Iran, the two Broadcom-owned threat intel firms warned that "with so much disruption in the Middle East, it's possible that attacks against oil producers in other countries could ramp up as fears grow about global energy ...