Full Report
An advanced persistent threat (APT) known as WIRTE has been attributed to attacks targeting government and diplomatic entities across the Middle East with a previously undocumented malware suite dubbed AshTag since 2020. Palo Alto Networks is tracking the activity cluster under the name Ashen Lepus. Artifacts uploaded to the VirusTotal platform show that the threat actor has trained its sights
Analysis Summary
# Threat Actor: WIRTE / Ashen Lepus
## Attribution & Identity
* **Primary Identifier:** WIRTE
* **Tracking Name (Palo Alto Networks):** Ashen Lepus
* **Known Aliases/Associated Groups:** Gaza Cyber Gang, Blackstem, Extreme Jackal, Molerats (TA402), APT-C-23, Arid Viper, Desert Varnish, Renegade Jackal.
* **Assessment:** Assessed to be active since at least 2018 and is considered a sub-group of the Hamas cyberwarfare division, overlapping with Molerats and APT-C-23.
## Activity Summary
* **Campaign Duration:** Active since at least 2020 (with overlap with WIRTE activity dating back to 2018).
* **Recent Activity:** Remained persistently active throughout the Israel-Hamas conflict, continuing operations even after the October 2025 Gaza ceasefire by deploying new malware variants.
* **Historical Context:** Has previously conducted destructive attacks exclusively targeting Israeli entities using custom wiper malware (SameCoin).
## Tactics, Techniques & Procedures
* **Initial Access:** Phishing emails utilizing lures related to current geopolitical affairs (e.g., Morocco-Turkey partnership, Palestine resolutions).
* **Delivery Mechanism:** PDF decoy leads users to download a malicious RAR archive.
* **Execution Chain (Sideloading):**
* Opening the archive deploys a chain starting with a renamed benign binary.
* This binary sideloads a malicious DLL named **AshenLoader**.
* AshenLoader opens a decoy PDF and contacts an external server to drop two components: a legitimate executable and a DLL payload named **AshenStager** (stagerx64).
* AshenStager sideloads the core malware suite into memory to minimize forensic artifacts.
* **Core Capabilities:** Uses the **AshTag** modular .NET backdoor, managed by **AshenOrchestrator**.
* **Post-Exploitation:**
* Persistence and process management.
* Remote command execution.
* Artifact collection: Screen capture, file system navigation/management, and system fingerprinting.
* **Data Staging:** Staging of exfiltration data (diplomacy-related documents pulled from victim email inboxes) in the `C:\Users\Public` folder.
* **Exfiltration:** Use of the **Rclone** utility to transfer staged files to attacker-controlled servers.
* **Obfuscation:** **AshTag** masquerades as a legitimate **VisualServer** utility.
## Targeting
* **Sectors:** Government and diplomatic entities.
* **Geography:** Widely focused on the Middle East, specifically targeting the Palestinian Authority, Jordan, Iraq, Saudi Arabia, Egypt, Oman, and Morocco.
* **Victims:** Government and diplomatic entities, noted for exhibiting increased focus on Turkey recently.
## Tools & Infrastructure
* **Malware Families Used:** AshenTag (primary backdoor), AshenLoader, AshenStager (stagerx64), SameCoin (historical wiper).
* **Infrastructure:** Contacts external C2 servers for payload drops.
## Implications
The actor exhibits high operational tempo, indicated by their continued activity during and after major regional conflicts, distinguishing them from some peers. Their focus is clearly on **espionage and intelligence collection**, specifically targeting sensitive diplomatic documents. The use of multi-stage sideloading techniques (AshenLoader/AshenStager) demonstrates technical sophistication aimed at evading detection and minimizing disk-resident forensics.
## Mitigations
* Enhanced monitoring for suspicious DLL sideloading/sideloading techniques involving legitimate binaries.
* Inspection of RAR files delivered via email, particularly those related to geopolitical lures.
* Monitoring for the deployment and execution of components named 'AshenLoader' and 'AshenStager'.
* Scrutinizing outbound file transfers utilizing the Rclone utility, especially concerning files staged in the `C:\Users\Public` directory.
* Implement security controls to detect and block memory injection techniques used to launch payloads in memory.