A multi-month cyberespionage campaign targeted a Libyan oil refinery in 2026, using commodity (commercially available) malware to maintain persistent covert access for intelligence collection. Oil and gas critical infrastructure in politically unstable regions like Libya represents high-value targets for state-sponsored espionage actors seeking intelligence on energy production capacity, export volumes, financial transactions, and operational vulnerabilities. The use of commodity malware (rather than custom tools) suggests either a nation-state actor using commercial tools for deniability, or a sophisticated criminal group with geopolitical clients. The campaign was detected and disclosed by cybersecurity researchers. Libyan oil infrastructure is controlled by the National Oil Corporation (NOC) and is a focal point of geopolitical competition between multiple regional actors.