Dozens of Facebook pages about current events in Libya were linked to malware

Facebook removed the pages — which collectively had hundreds of thousands of followers — after notification from researchers, Check Point said.

Hackers used more than 30 Facebook pages to spread malicious software aimed at social media users following news about Libya, according to new findings.

Researchers from the security vendor Check Point on Monday published details about Operation Tripoli, a coordinated campaign in which hackers used a network of seemingly legitimate Facebook pages to dupe users into downloading Windows malware. The pages impersonated people like Khalifa Haftar, the head of the Libyan National Army, militia leaders and a range of political causes urgent in the North African country.

Attackers would use the pages to post malicious URLs, disguising the links as news or mobile applications. Facebook said it removed the pages — which collectively had hundreds of thousands of followers — after notification from researchers..

A closer inspection of the attackers’ habits proved that a single account, known as “Dexter Ly,” was behind much of the activity, researchers said. It’s not clear exactly who is behind that page, but the “Dexter Ly” Facebook page openly broadcast secret documents apparently pilfered from Libya’s government, as well as email addresses, phone numbers and Libyan officials’ passport information.


“Although the attacker does not endorse a political party or any of the conflicting sides in Libya, their actions do seem to be motivated by political events,” the researchers concluded. It’s unclear what the hacking campaign was supposed to achieve, exactly, but Check Point said the goal could be to obtain information about “certain individuals within the larger crowd.”

Violence and civil unrest have ravaged Libya since the death of strongman Moammar Gadhafi in 2011. Haftar, who served under Gadhafi, and his loyalists have been locked in a military struggle against the United Nations-backed elected government in a years-long conflict.

“Considering the fragile state of Libya, this makes those news [links] an efficient bait for people interested in keeping up with the latest updates in the country,” Check Point researchers wrote.

“This might explain why the threat actor chooses those themes and social engineering tricks to easily persuade users into clicking the URLs and running the files. Despite this, there does not seem to be hidden propaganda behind this activity, as the attacker does not appear to favor one political party over another.”

The page masquerading as Haftar was created in April, had roughly 11,000 followers, and its malicious links sought to infect victims with the common remote administration tools known as Houdini, Remcos and SpyNote, Check Point researchers found. A page dedicated to militia leader Emad al-Trabilsi had more than 139,000 followers, and the “Libya My People” page had more than 110,000 followers.


“Looking at the activity over the years, it seems that the threat actor gained access to some of the pages after they were created and operated by the original owners for a while (perhaps by compromising a device belonging to one of the administrators),” according to Check Point.

It was common for the malicious links to be clicks thousands of times, and researchers shared samples indicating that most clicks came from inside Libya. The number of clicks does not necessarily correlate with the number of infections.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts