Desert Dexter, a novel malware that infected hundreds globally

A newly uncovered malware campaign, Desert Dexter, has already compromised at least 900 people across several regions.

Some of the most prevalent victims came from the Middle East and North Africa. Based on reports, this operation has been ongoing since September 2024.

Moreover, the malware operators have allegedly used a multi-stage assault chain that includes social media platforms, legitimate file-sharing sites, and geopolitical lures to spread a modified version of the AsyncRAT virus.

The campaign’s sophistication stems from using Facebook ads and Telegram channels posing as legitimate news outlets to promote harmful content.

 

The Desert Dexter malware campaign baits users into downloading malicious content.

 

According to investigations, the Desert Dexter infection chain starts by deceiving users into downloading RAR archives that contain malicious scripts from either files.fm or specially designed Telegram channels.

These scripts, written in JavaScript, batch, and PowerShell, work together to run the final payload, a customised AsyncRAT variation.

This modified AsyncRAT malware includes various complex features that improve its stealth and functionality. A unique reflective loader built in C# is at the heart of the malware’s undetectable operation.

In addition, an offline keylogger secretly records keystrokes and active process names, saving the information in a temporary file for later retrieval.

The malware also employs an upgraded IdSender module that aggressively searches for cryptocurrency wallet extensions and programs, which makes it especially harmful for individuals dealing with digital assets.

To establish persistence, Desert Dexter modifies Windows registry run keys and communicates with VPN service IP addresses via DDNS domains.

Furthermore, the malware operator’s operation takes advantage of the controversial political situation in the targeted locations by exploiting supposed disclosures of secret material as bait.

Most victims appear to be average users, while infections have been found in essential industries such as oil extraction, construction, and information technology.

The threat actors’ concentration on cryptocurrency-related data indicates financial motivation; however, the exact scope of their aims is unknown.

As geopolitical tensions continue to fuel cyber activities in the Middle East and North Africa, Desert Dexter shows that threat actors will go to lengths to exploit the region’s growing threat landscape.