The Advanced Persistent Threat (APT), known as WIRTE, is believed to be the result of attacks targeting government and diplomatic organizations across the Middle East since 2020 using a previously undocumented malware suite called AshTag.
Palo Alto Networks is tracking an activity cluster named Ashen Lepus. Artifacts uploaded to the VirusTotal platform indicate that the threat actor has set its sights on Oman and Morocco, indicating an expanding footprint beyond the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.
“Ashen Repas remained active throughout the Israeli-Hamas conflict, setting it apart from other related organizations whose activity declined during the same period,” the cybersecurity firm said in a report shared with Hacker News. “Ashen Lepus continued its campaign after the Gaza ceasefire in October 2025, deploying newly developed malware variants and engaging in live operations within victim environments.”
WIRTE overlaps with the Arabic-speaking politically motivated cluster known as the Gaza Cyber Gang (also known as Blackstem, Extreme Jackals, Morerats, or TA402), and is assessed to have been active since at least 2018. According to the Cybereason report, Morerat and APT-C-23 (also known as Arid Vipers, Desert Burnish, or Renegade Jackals) are both two major subgroups of the Gaza Cyber Gang. Hamas’ cyberwarfare division.
It is primarily driven by espionage and intelligence gathering, targeting government agencies in the Middle East to achieve strategic objectives.
In a report released in November 2024, Check Point highlighted the hacking group’s ability to adapt and carry out both espionage and sabotage by targeting Israeli organizations in devastating attacks, infecting them with custom wiper malware called SameCoin.
This long-running and elusive campaign, detailed by Unit 42, dates back to 2018 and was found to have utilized phishing emails containing decoys related to geopolitical issues in the region. The recent increase in Turkey-related invitations, such as the “Partnership Agreement between Morocco and Turkey” and the “Resolution on Palestinian Statehood,” suggests that domestic organizations may become a new focus.
The attack chain begins with a benign PDF decoy that tricks the recipient into downloading a RAR archive from a file-sharing service. Opening the archive triggers a series of events that result in the AshTag being deployed.
This involves using a renamed, benign binary to sideload a malicious DLL called AshenLoader. In addition to opening a decoy PDF file to continue its ruse, this DLL connects to an external server and drops two more components: a legitimate executable and a DLL payload called AshenStager (also known as stagerx64). This DLL payload is sideloaded again to launch the malware suite in memory to minimize forensic artifacts.
AshTag is a modular .NET backdoor designed to facilitate persistence and remote command execution, disguised as a legitimate VisualServer utility. Internally, its functionality is realized by AshenOrchestrator, which enables communication and executes additional payloads in memory.
These payloads serve various purposes.
Persistence and Process Management Update and Delete Screen Capture File Explorer and Management System Fingerprinting
In one case, Unit 42 said it observed threat actors performing actual data theft by gaining access to a compromised machine and staging targeted documents in the C:\Users\Public folder. These files are said to have been downloaded from victims’ email inboxes, with the ultimate goal of stealing diplomatic documents. The documents were then leaked to an attacker-controlled server using the Rclone utility.
“Ashen Lepus continues to conduct espionage operations and has demonstrated a clear intent to continue operating throughout recent regional conflicts, unlike other related threat groups whose activity has significantly decreased,” the company concluded. “Threat actors’ activities over the past two years particularly highlight their continued intelligence gathering efforts.”
Source link
