An advanced persistent threat (APT) tracked as WIRTE has been linked to intrusions against government and diplomatic networks across the Middle East, using a previously undocumented malware toolkit called AshTag since 2020.

Palo Alto Networks Unit 42 clusters this activity under the name Ashen Lepus. Samples submitted to VirusTotal indicate that the operators are now actively targeting Oman and Morocco, expanding beyond earlier activity against organizations in the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.

The company told The Hacker News that it has identified “scores of unique lures” distributed across the Middle East, pointing to a “persistent and wide-reaching campaign” focused on government and diplomatic targets. More than a dozen organizations are believed to have been impacted, with the real count likely higher based on observable telemetry.

“Ashen Lepus remained persistently active throughout the Israel-Hamas conflict, distinguishing it from other affiliated groups whose activities decreased over the same period,” the cybersecurity company said in a report shared with The Hacker News. “Ashen Lepus continued with its campaign even after the October 2025 Gaza ceasefire, deploying newly developed malware variants and engaging in hands-on activity within victim environments.”

WIRTE overlaps with an Arabic-speaking, politically motivated cluster commonly referred to as Gaza Cyber Gang (also known as Blackstem, Extreme Jackal, Molerats, or TA402) and is assessed to have been active since at least 2018. Cybereason reporting notes that both Molerats and APT-C-23 (aka Arid Viper, Desert Varnish, or Renegade Jackal) are considered key sub-groups within the Hamas cyberwarfare apparatus.

The activity is primarily focused on espionage and intelligence collection, with an emphasis on government networks in the Middle East to support strategic and geopolitical objectives.

“Specifically, the connection between WIRTE (Ashen Lepus) to the broader Gaza Cyber Gang is primarily evidenced by code overlaps and similarities,” Unit 42 researchers said. “This suggests that while they operate independently, the tools were developed by close entities and they likely share development resources. We have also seen overlap in other groups’ victimology.”

In analysis released in November 2024, Check Point attributed the group to destructive operations exclusively targeting Israeli organizations, where victims were infected with a custom wiper dubbed SameCoin, underscoring the operators’ ability to pivot between espionage and disruptive effects.

The long-running, low-profile campaign documented by Unit 42, active since at least 2018, relies heavily on phishing emails themed around regional geopolitical issues. A recent spike in lures mentioning Turkey – for example, “Partnership agreement between Morocco and Turkey” or “Draft resolutions concerning the State of Palestine” – indicates that Turkish entities may be emerging as a new focus area.

The intrusion chain begins with a benign-looking PDF decoy that instructs recipients to download a RAR archive from a file-sharing service. Opening this archive initiates an execution sequence that ultimately installs the AshTag malware.

The sequence uses a renamed legitimate binary to sideload a malicious DLL, AshenLoader, which both opens a decoy PDF to maintain user trust and contacts a remote server to retrieve two additional components: a legitimate executable and a DLL payload named AshenStager (aka stagerx64). The stager is again sideloaded to execute the malware suite fully in memory, reducing on-disk artifacts available to incident responders.

AshTag is a modular .NET backdoor built to maintain persistence and execute remote commands, while posing as a legitimate VisualServer utility to evade casual inspection. Internally, its functionality is coordinated through an AshenOrchestrator component that manages command-and-control communications and in-memory execution of additional payloads.

These payloads are used for distinct operational purposes –

• Establishing persistence and managing processes
• Updating the malware and removing it when necessary
• Capturing screenshots
• Browsing, staging, and manipulating files
• Collecting detailed host and environment information

In one investigated incident, Unit 42 observed the operators logging into a compromised host for interactive activity, staging sensitive documents in the C:\Users\Public folder prior to exfiltration. The documents, pulled from a victim’s email inbox, were diplomacy-focused files, consistent with the group’s intelligence requirements. Exfiltration to attacker infrastructure was then performed using the Rclone utility.

Analysts assess that similar data theft likely occurred across a wider set of victims, especially in environments lacking robust detection, EDR coverage, or network monitoring.

“Ashen Lepus remains a persistent espionage actor, demonstrating a clear intent to continue its operations throughout the recent regional conflict — unlike other affiliated threat groups, whose activity significantly decreased,” the company concluded. “The threat actors’ activities throughout the last two years in particular highlight their commitment to constant intelligence collection.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.