Inside Desert Dexter: A Cyber Threat Targeting Mena

Published Date: March 10, 2025
Category: ShadowOpsIntel
Share:

The Desert Dexter campaign is a sophisticated cyberattack operation targeting individuals and organizations across the Middle East and North Africa (MENA). First detected in February 2025 by Positive Technologies’ Threat Intelligence team, this campaign has been active since September 2024. It employs social media advertisements and Telegram channels to distribute malware, luring victims into downloading malicious files under the guise of leaked intelligence reports and political news. At the core of the attack is a modified version of AsyncRAT, that enables threat actors to steal cryptocurrency wallet data, monitor user activity, & exfiltrate system info.

Severity Level: High

Threat Details

1. Initial Infection:

  • Attackers create fake news channels and distribute malware-laden posts via Facebook ads and Telegram.
  • The malware is embedded in files hosted on legitimate file-sharing services (e.g., Files.fm).
  • Victims execute the files, triggering the installation of AsyncRAT.

2. Malware Capabilities:

  • AsyncRAT modifications include:
    • Keylogging functionality via SetWindowsHookEx.
    • Screenshot capture and exfiltration via a Telegram bot.
    • Collection of cryptocurrency wallet data (MetaMask, Binance, Trust Wallet, etc.).
    • Disabling of security services via PowerShell.

3. Persistence Mechanism:

  • Malware modifies Windows startup registry keys to maintain persistence.
  • Reflective code loading allows execution within legitimate Windows processes.

4. Command and Control (C2):

  • Uses dynamically resolved DDNS domains, multiple malicious URLs hosted on Files.fm, and Telegram-based malicious links impersonating legitimate news sources
  • Communicates via non-standard ports (e.g., 6161).
  • Exfiltrates system information, IP addresses, and user credentials.

Recommendations

  1. Educate employees on social engineering techniques used in Desert Dexter’s campaign, including:
    • Fake news advertisements on Facebook & Telegram promoting political misinformation.
    • Malicious links disguised as intelligence reports (e.g., hosted on Files.fm).
    • The dangers of downloading unknown files (especially RAR, .bat, .js, & .ps1 scripts).
  2. Restrict execution of untrusted .bat, .js, .vbs, and .ps1 scripts.
  3. Block unauthorized software installations.
  4. Configure Windows Defender Attack Surface Reduction (ASR) rules to prevent: Script-based threats and Execution of potentially malicious payloads via PowerShell.
  5. Monitor for unusual outbound communications, particularly port 6161 (used by AsyncRAT).
  6. Block unauthorized changes to Startup registry keys used by AsyncRAT for persistence.
  7. Enforce MFA for all users, especially for: cryptocurrency wallets, financial transactions, critical systems and privileged accounts.
  8. Block the IOCs at their respective controls.

Source:

  • https://www.virustotal.com/gui/collection/3b580d11d380e6fd80cab2c4997149ca9b8ff2942527f7ad65d0ce3d38bdb907/iocs
  • https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/desert-dexter-ataki-na-strany-blizhnego-vostoka/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.