Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite

The Hamas-affiliated advanced persistent threat (APT), known as Ashen Lepus (also tracked as WIRTE), has launched a sophisticated espionage campaign targeting governmental and diplomatic entities across the Middle East. The group has deployed a new malware suite named AshTag and significantly updated its command and control (C2) architecture to enhance evasion and blend with legitimate network traffic. Notably, Ashen Lepus maintained persistent activity throughout the Israel-Hamas conflict, deploying newly developed malware variants and engaging in hands-on activity in victim environments even after the October 2025 Gaza ceasefire.

This campaign signifies a tangible evolution in Ashen Lepus’s operational security and tactics, techniques, and procedures (TTPs), adopting advanced tactics such as enhanced custom payload encryption and infrastructure obfuscation using legitimate subdomains. Active since 2018, Ashen Lepus focuses on cyber-espionage and intelligence collection against government entities. While historically targeting nearby nations like the Palestinian Authority, Egypt, and Jordan, recent campaigns indicate a significant expansion to include entities in Oman and Morocco. The group’s lure themes remain largely consistent, focusing on Middle East geopolitical affairs, particularly those involving the Palestinian Territories, with increased focus on Turkey’s relationship with Palestine.

The group employs a multi-stage infection chain, beginning with a benign PDF that directs targets to download a RAR file containing the malicious payload. The infection scheme employs several files, including decoy documents and malicious loaders. A notable evolution in their C2 architecture now involves C2 servers utilizing legitimate subdomains to improve operational security.

For more details, read the full article here.