Hamas-Linked Ashen Lepus Expands AshTag Malware Suite to Target Middle Eastern Diplomacy
Executive Summary
Over recent months, we have tracked an advanced persistent threat (APT) known for espionage operations against Arabic-speaking government bodies. We identify this Middle Eastern actor as Ashen Lepus (also referred to as WIRTE). We detail a long-running, elusive espionage campaign aimed at governmental and diplomatic institutions across the Middle East. The group has developed updated versions of their previously documented loader and now delivers a new malware family called AshTag. In addition, they have refreshed their command-and-control (C2) structure to better blend with legitimate traffic and evade analysis.
Unlike some affiliated groups whose activity waned during the Israel–Hamas conflict, Ashen Lepus remained consistently active and even intensified its operations after the October 2025 Gaza ceasefire. The actor deployed fresh malware variants and conducted hands-on intrusion within victim environments.
This campaign demonstrates a clear evolution in Ashen Lepus’s operational security and TTPs. Historically, the group showed moderate sophistication, but recent activity reveals more advanced techniques, including:
- Enhanced payload encryption
- Infrastructure obfuscation using legitimate-looking subdomains
- In-memory execution to minimize forensic traces
Palo Alto Networks customers can bolster protection with the following products and services:
- Advanced WildFire
- Advanced URL Filtering and Advanced DNS Security
- Cortex XDR and XSIAM
If you suspect a compromise or need urgent assistance, contact Unit 42 Incident Response.
Ashen Lepus: Background
Our investigation centers on a Hamas-affiliated threat group active since 2018, focused on cyber-espionage and intelligence collection targeting Middle East government entities. We attribute this activity to Ashen Lepus with high confidence, using Unit 42’s Attribution Framework to evaluate network infrastructure, modus operandi, and malware; attribution details are in Appendix A.
Ashen Lepus Operations: Victimology and Motivations
Historically, Ashen Lepus targeted nearby entities, including the Palestinian Authority, Egypt, and Jordan. Recent campaigns show a broader geographic scope, with activity extending to other Arabic-speaking nations such as Oman and Morocco. Although the geographic footprint has expanded, lure themes remain centered on Middle East geopolitical issues, particularly the Palestinian Territories. Notably, the current campaign features lures related to Turkey and its ties to the Palestinian administration, suggesting Turkish entities may now be within their sights. See Table 1 for recent lure themes.
Table 1. Recent lure themes used by Ashen Lepus
- Partnership agreement between Morocco and Turkey
- Turkish Minister of Defense: We changed our strategy in countering terrorist organizations
- Reports of Hamas elements training in Syria, with Turkish support
- Hamas’s proposal to unify Palestinian arms under the Authority
- Highly confidential drafts on the State of Palestine
Campaign Breakdown: Decoy and Infection Chain
Since at least 2020, Ashen Lepus has employed a multi-stage infection chain that culminates in the AshTag malware suite. The chain typically begins with a benign PDF decoy guiding targets to a file-sharing service to download a RAR archive containing a malicious payload. The decoy documents often relate to high-profile geopolitical discussions.
Infection unfolds through three files:
- A binary masquerading as a sensitive document
- A background loader (malicious)
- A second decoy PDF named Document.pdf
When the binary is opened, it side-loads a first loader (netutils.dll), which then opens the decoy PDF. This sequence is visible in Cortex XDR alerts for DLL side-loading and persistence.
C2 Architecture: Evolution
Compared with prior campaigns, the group now uses API and authentication-related subdomains of legitimate domains for C2, boosting OpSec and blending traffic with normal activity. Example domains exhibit technology or medical themes (e.g., api.healthylifefeed.com, api.softmatictech.com, auth.onlinefieldtech.com).
The campaign also shows a clearer separation of servers for different tools in the execution chain, with domains hosted across multiple ASNs. Geofenced servers hinder automated analysis from linking stages.
To avoid detection, attackers embed secondary payloads in HTML tags on benign pages and perform endpoint checks to avoid sandbox environments (geolocation checks and User-Agent filtering).
The AshTag Malware Suite and Campaign Evolution
AshTag marks a major upgrade to Ashen Lepus’s toolkit. Previously, attackers did not deliver a full payload; rather, they terminated the parent process with a .NET DLL. Current activity indicates a more sophisticated, fully featured modular backdoor named AshTag, capable of data exfiltration, content download, and in-memory execution of modules.
AshTag operates as a modular .NET backdoor, masquerading as a legitimate VisualServer utility to remain inconspicuous. The campaign’s delivery chain proceeds as follows:
- A targeted victim opens a binary pretending to be a document
- The binary side-loads a loader (AshenLoader) in the background
- AshenLoader displays the decoy PDF on the desktop
- AshenLoader loads a stager (AshenStager) that retrieves and runs the AshTag payload
- AshenStager establishes persistence via a scheduled task via svchost.exe
Initial Loader Execution Flow
AshenLoader begins by gathering reconnaissance data and sending it to the C2. The AshenStager payload is embedded in the C2 response HTML, using a technique noted in prior analyses. New AshenLoader features include detailed endpoint fingerprinting and updated URIs for beaconing.
AshenStager uses a legitimate process paired with a malicious DLL (wtsapi32.dll) to load the stager. It requests data from the C2 and extracts an encrypted payload hidden in HTML, which is then decoded and injected into memory. The final payload is controlled by a component called AshenOrchestrator.
AshTag Malware Suite
AshTag is a modular .NET backdoor designed for stealthy persistence and remote command execution. It pretends to be a legitimate utility to avoid suspicion, while in reality orchestrating communication and in-memory payload execution via AshenOrchestrator.
The stager retrieves a Base64-encoded JSON configuration from the Orchestrator, detailing module paths, encryption keys, C2 domain, and jitter values to avoid beaconing detection. The payloads are embedded in HTML content and located via a hidden tag strategy. The Orchestrator uses AES to decrypt an XOR key, which then decrypts the embedded payload with the module’s configuration specifying the loading method and class name.
Module Architecture and Actions
AshenOrchestrator defines modules with specific purposes (e.g., persistence, process management, uninstall/update, and various system operations). Each module’s action is defined by a parameter indicating whether to upload, download, execute, or inject the module in memory. Some injection logic appears incomplete, indicating ongoing development.
Module retrieval is complicated by active module rotation within web content and varying encryption keys that unlock different modules.
A sample module demonstrates system fingerprinting: a lightweight .NET program enumerating WMI and returning a victim ID to operators. Additional modules handle staging and data exfiltration.
Ashen Lepus Hands-on Activity
Post-infection, the threat actors accessed the compromised host to steal targeted diplomatic documents. They staged specific documents in the Public folder after obtaining them from victims’ mail accounts, aligning with prior intelligence-focused campaigns.
For exfiltration, they deployed the open-source tool Rclone to transfer data to attacker-controlled servers, marking the group’s first observed use of Rclone. This illustrates a broader trend of using legitimate tools to blend malicious activity with normal network traffic and avoid detection.
Conclusion
Ashen Lepus remains a persistent espionage actor with clear intent to operate throughout regional conflicts, distinguishing itself from peers that have reduced activity. The recent AshTag deployment demonstrates a strategic shift toward more advanced, modular payloads and improved operational security.
The group’s broadened geographic reach and new lure themes suggest a widening of its intelligence-gathering objectives. Organizations in the Middle East, especially in government and diplomatic sectors, should remain vigilant against this evolving threat.
Protection guidance for Palo Alto Networks customers includes:
- Updated Advanced WildFire analysis and ML models
- Advanced URL Filtering and Advanced DNS Security to identify malicious domains and URLs
- Cortex XDR and XSIAM for comprehensive detection and response
If you believe you are compromised or need urgent assistance, contact Unit 42 Incident Response or call regional numbers listed in the original advisory.
Indicators of Compromise: Key hashes and artifacts are provided for AshTag, AshenLoader variants, AshenStager, and AshTag components, including C2 domains, loader destinations, and scheduled tasks. Appendix A and Appendix B document attribution methodology and loader evolution, including references to IronWind, and detailing the ongoing development of AshenLoader and AshTag.
Additional Resources
- Check Point’s Hamas-affiliated threat actor WIRTE continues Middle East operations
- Cybereason’s Molerats in the Cloud report
- WIRTE threat group card from ETDA
- OWN CERT analysis of Wirte campaign
- Proofpoint’s TA402 IronWind infection chains study
Appendix A: Attribution and TTPs
Our assessment uses Unit 42’s Attribution Framework to connect observed activity with the threat group. TTPs align closely with Ashen Lepus’s established behavior, including Arabic-language lures tied to Middle East geopolitical events and tailored campaigns targeting diplomatic entities. Infrastructure overlaps with prior reporting show consistent URL and subdomain patterns, such as encrypted recon data tokens in API endpoints across multiple campaigns. The loader, including the wtsapi32.dll payloads, remains a recurring artifact across campaigns, reinforcing the attribution.
Appendix B: Loader Development
AshenLoader appears to be a progression from earlier IronWind loader activities. Throughout 2025, Ashen Lepus refined AshenLoader with features like AES-CTR-256 encryption, endpoint fingerprinting, and URI structure changes to resist static detection. These incremental improvements illustrate a deliberate, low-cost, high-impact approach to maintaining stealth while expanding capabilities.
Additional Resources
- Check Point: Hamas-affiliated threat actor WIRTE analysis (2024)
- Cybereason: Molerats in the Cloud (PDF)
- ETDA WIRTE threat group card
- OWN CERT analysis of Wirte campaign
- Proofpoint: TA402 IronWind campaign
Indicators of Compromise are provided for reference, including SHA-256 hashes for various AshenLoader and AshTag components, as well as C2 domains and exfiltration endpoints.
If you suspect exposure or need urgent assistance, reach out to Unit 42 Incident Response or call the regional numbers listed in the advisory.
