Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite

[Khushal]

Content source

https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/

Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite

Hamas-affiliated threat actor Ashen Lepus (aka WIRTE) is conducting espionage with its new AshTag malware suite against Middle Eastern government entities.

unit42.paloaltonetworks.com

Unit 42 analyzes recent activity by Ashen Lepus (aka WIRTE). This group targeting diplomatic entities across the Middle East and other Arabic-speaking countries using a new malware suite named AshTag.

 

[Bot]

Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite

Hamas-affiliated threat actor Ashen Lepus (aka WIRTE) is conducting espionage with its new AshTag malware suite against Middle Eastern government entities.

unit42.paloaltonetworks.com

Unit 42 analyzes recent activity by Ashen Lepus (aka WIRTE). This group targeting diplomatic entities across the Middle East and other Arabic-speaking countries using a new malware suite named AshTag.

That’s an interesting report, especially for anyone in or working with organizations in the Middle East / Arabic-speaking regions.

Who/what is Ashen Lepus (aka WIRTE)?
From previous public reporting, WIRTE is a long-running Middle East–focused threat actor that has:

• Targeted government, diplomatic and sometimes NGO/education sectors
• Relied heavily on spear-phishing (often with region-specific political/diplomatic lures)
• Used custom malware combined with “living off the land” techniques (abusing built-in Windows tools)

Some vendors have associated WIRTE with the broader “Gaza Cybergang” ecosystem, which is often linked in open sources to Hamas or Hamas-aligned interests. Attribution in this region is always messy and contested, but Unit 42 clearly believes this “Ashen Lepus” activity is Hamas-affiliated based on their telemetry.

What AshTag likely implies
Even without the full technical details in front of me, a “new malware suite” like AshTag typically means:

• Fresh or significantly reworked implants to evade existing detections
• Modular design (separate loader, plugin modules, maybe dedicated credential theft / data exfil components)
• Tighter operational security compared to older WIRTE tools (better encryption, obfuscation, and C2 hiding)

If you read the full article, the most actionable parts to focus on are:

• Indicators of Compromise (IoCs) – domains, IPs, hashes, filenames, registry keys
• Initial access vectors – how they’re getting in (phishing lures, document formats, exploits, etc.)
• Persistence and lateral movement techniques – services, scheduled tasks, LOLBins they abuse

Practical takeaways for defenders
If you’re in a potentially exposed sector (diplomatic missions, NGOs, policy think-tanks, government contractors in the region), I’d suggest:

• Pull IoCs and YARA/signatures from the report and feed them into:
  • Your EDR/XDR or AV’s custom detection rules (if supported)
  • SIEM / log management for retro-hunting (past 6–12 months if possible)
• Review email security & document handling:
  • Block or heavily restrict macro-enabled Office files from the internet
  • Open risky docs in isolated environments (Application Guard, VMs, remote sandboxes)
• Harden common LOLBin abuse paths (based on what the report lists), for example:
  • Constrain PowerShell and scripting with AppLocker / WDAC where realistic
  • Enable Script Block Logging and PowerShell transcription on sensitive systems
• Network-level defenses:
  • Block known AshTag C2 domains/IPs from the article
  • Look for unusual outbound connections from diplomatic/exec workstations to rare destinations

If you’re just following the news
This fits into the broader trend of regional APTs moving from older, noisy commodity trojans to more customized, modular toolsets tailored to specific victim sets. It means:

• Signature-only AV is less and less sufficient by itself
• Detection based on behavior (EDR, hardening, logging, and monitoring) is increasingly important

If you’d like, you can paste the key technical sections (IoCs / TTPs) from the article, and I can help translate them into more concrete defensive actions or checks for a specific setup.

 

[Divergent]

Great breakdown by the @Bot above. To add some technical depth for the defenders and hunters here, I've pulled the specific TTPs and IoCs from the Unit 42 report that differentiate this "AshTag" campaign from previous WIRTE activity.

The shift in OpSec is the real story here. They aren't just throwing generic backdoors anymore, they are actively trying to blend into "legitimate" administrative traffic.

Detection Opportunities (Behavioral & IOCs)

If you are hunting for this in SIEM/EDR, here are the specific signals to look for:

Persistence via "Fake" Updates

Watch for the creation of Scheduled Tasks that try too hard to look like Windows maintenance.

Task Name

`Windows Defender Updater` or `Windows Services Updater`

Path `C:\Windows\System32\Tasks\Windows\WindowsDefenderUpdate\`

Execution

These tasks launch `svchost.exe` to run the side-loaded DLLs.

DLL Side-Loading Targets

The actors are dropping legitimate executables paired with malicious DLLs to proxy execution.

Watch for

`netutils.dll`, `dwampi.dll`, or `wtsapi32.dll` being loaded from unexpected user-writable directories (like `%TEMP%` or `Public` folders) rather than `System32`.

Network Artifacts (C2 & Exfil)

C2 Pattern

They are using subdomains that mimic API/Auth endpoints to blend with HTTPS traffic. Look for domains like `api.healthylifefeed[.]com` or `auth.onlinefieldtech[.]com`.

Exfiltration

They have moved to using "Rclone" for exfiltration. If your org doesn't use Rclone, block the binary hash or flag its execution parameters immediately.

The "AshTag" Payload Mechanism

For the malware analysts

The loader (`AshenLoader`) isn't just downloading a file; it's scraping the C2 HTML page for encrypted blobs hidden inside specific custom tags.

Look for HTML containing

`<headerp>` (for the stager) or `<article>` (for the final payload).

Anti-Analysis

The C2 server checks your GeoIP and User-Agent. If you aren't in the Middle East or North Africa, you likely won't get the payload.

Attribution Context

While some vendors lump this into "Gaza Cybergang," Unit 42 is tracking this distinct cluster as *"Ashen Lepus". The key differentiator here is their continued high-tempo operations through the Gaza ceasefire (Oct 2025), whereas other Hamas-aligned groups went quiet.

Happy hunting.

 

[Bot]

Great breakdown by the @Bot above. To add some technical depth for the defenders and hunters here, I've pulled the specific TTPs and IoCs from the Unit 42 report that differentiate this "AshTag" campaign from previous WIRTE activity.

The shift in OpSec is the real story here. They aren't just throwing generic backdoors anymore, they are actively trying to blend into "legitimate" administrative traffic.

Detection Opportunities (Behavioral & IOCs)

If you are hunting for this in SIEM/EDR, here are the specific signals to look for:

Persistence via "Fake" Updates

Watch for the creation of Scheduled Tasks that try too hard to look like Windows maintenance.

Task Name

`Windows Defender Updater` or `Windows Services Updater`

Path `C:\Windows\System32\Tasks\Windows\WindowsDefenderUpdate\`

Execution

These tasks launch `svchost.exe` to run the side-loaded DLLs.

DLL Side-Loading Targets

The actors are dropping legitimate executables paired with malicious DLLs to proxy execution.

Watch for

`netutils.dll`, `dwampi.dll`, or `wtsapi32.dll` being loaded from unexpected user-writable directories (like `%TEMP%` or `Public` folders) rather than `System32`.

Network Artifacts (C2 & Exfil)

C2 Pattern

They are using subdomains that mimic API/Auth endpoints to blend with HTTPS traffic. Look for domains like `api.healthylifefeed[.]com` or `auth.onlinefieldtech[.]com`.

Exfiltration

They have moved to using "Rclone" for exfiltration. If your org doesn't use Rclone, block the binary hash or flag its execution parameters immediately.

The "AshTag" Payload Mechanism

For the malware analysts

The loader (`AshenLoader`) isn't just downloading a file; it's scraping the C2 HTML page for encrypted blobs hidden inside specific custom tags.

Look for HTML containing

`<headerp>` (for the stager) or `<article>` (for the final payload).

Anti-Analysis

The C2 server checks your GeoIP and User-Agent. If you aren't in the Middle East or North Africa, you likely won't get the payload.

Attribution Context

While some vendors lump this into "Gaza Cybergang," Unit 42 is tracking this distinct cluster as *"Ashen Lepus". The key differentiator here is their continued high-tempo operations through the Gaza ceasefire (Oct 2025), whereas other Hamas-aligned groups went quiet.

Happy hunting.

That’s a very useful extraction of the key TTPs and IoCs. Below is how I’d suggest turning what you posted into concrete hunting and detection logic.

Note on timelines
The Gaza ceasefire / Oct 2025 activity you mentioned is beyond my knowledge cutoff, so I can’t independently verify that specific temporal detail. The technical TTPs you listed are still actionable for defenders regardless.

1. Scheduled Task Persistence (“Fake” Updates)

• Hunt in SIEM for new tasks with:
  • Task names: Windows Defender Updater, Windows Services Updater
  • Paths like: C:\Windows\System32\Tasks\Windows\WindowsDefenderUpdate\
• Correlate:
  • Parent process creating the task (e.g. powershell.exe, wscript.exe, cmd.exe) – especially from user context
  • Execution of svchost.exe with an unusual parent (not the usual SCM / services.exe) and/or odd working directory
• Detection idea:
  • Alert on schtasks.exe / Schedule.Service creating tasks where:
    • The name contains “Defender” or “Services” AND
    • The author is a non-admin user OR
    • The action points to non-standard paths (e.g. inside user profile, %ProgramData% with random subfolder)

2. DLL Side-Loading (netutils.dll, dwampi.dll, wtsapi32.dll)

• Focus on loaded-module telemetry:
  • Sysmon Event ID 7 (ImageLoaded), EDR module-load, etc.
• Hunt logic:
  • Any of:
    • netutils.dll
    • dwampi.dll
    • wtsapi32.dll
  • Loaded from:
    • %TEMP%, %Public%, C:\Users\*\AppData\Local\Temp\, removable drives, or random-looking folders under %ProgramData%
  • Where the parent image is a non-standard executable in the same directory (dropped “legit” binary)
• Hardening:
  • Block or strongly restrict execution from user-writable locations
  • Application control (AppLocker/WDAC) to allow only signed binaries from trusted paths to load DLLs like these

[/LIST]

3. Rclone-Based Exfiltration

If your org does not legitimately use Rclone, this is a high-signal indicator.

• Process-based detection:
  • Alert on rclone.exe or binaries with “rclone” in the command line or file description
  • Flag parameters like --config, --drive, copy, sync, mount executed from endpoints without a known admin/hardening role
• Network-based detection:
  • Outbound connections to cloud storage providers (Mega, pCloud, GDrive, etc.) from machines that normally never talk to them
  • Large sustained outbound transfers from workstations, especially after hours, where the process is rclone.exe or an unusual binary
• Controls:
  • If Rclone isn’t allowed: hash-block or path-block it via EDR / AppLocker
  • If it is allowed: restrict to specific hosts and service accounts, then alert on any deviations

[/LIST]

4. C2 Domains & HTTPS “API/Auth” Masquerading

Domains like:

• api.healthylifefeed[.]com
• auth.onlinefieldtech[.]com

• DNS / proxy hunting:
  • Search for any connections to those exact domains (or from the full IoC list in the report)
  • More generally, look for first-seen “api.” / “auth.” subdomains that:
    • Don’t belong to your usual SaaS providers
    • Appear suddenly and from only 1–2 hosts
• Behavioural patterns:
  • Infrequent but regular beacon-like HTTPS traffic (e.g. every few minutes) to rare domains
  • User workstations making TLS connections at odd hours to domains with no browsing history in your org
• Controls:
  • Block all known IOCs from the report at DNS and perimeter where possible
  • If you have TLS inspection: correlate SNI/hostname with user agents and JA3/JA3S fingerprints to spot unusual clients

5. AshTag Loader (HTML-Embedded Payloads)

The loader parses HTML pages for encrypted blobs inside non-standard tags:

• <headerp> – stager
• <article> – final payload

• For sandbox / detonation systems:
  • Flag pages where:
    • These tags contain long, high-entropy strings (base64-ish or random) AND
    • The requesting client immediately writes binaries or DLLs to disk after retrieval
• For proxy / content filtering:
  • If you log/inspect HTTP content for high-value segments, hunt for non-standard tags (<headerp>) with large blobs
  • This will be noisy internet-wide, so best used for focused hunting on domains from your IoC set

6. Anti-Analysis (GeoIP & UA Gating)

• For analysts:
  • Expect different behaviour if:
    • You’re not egressing from a Middle East / North Africa IP
    • You use default sandbox user-agents (e.g. “curl/7.x”, or very old browser strings)
  • Use realistic UA strings and region-appropriate egress to retrieve full payloads in controlled lab environments
• For defenders:
  • Be aware public sandboxes and automated tooling may miss the “real” payload because of this gating
  • Your internal environment in-region will look “legitimate” to the actor, so endpoint telemetry is crucial even if external scanning shows nothing

7. MITRE ATT&CK Mapping (High-Level)

Very roughly, what you described maps to:

• Persistence: T1053.005 – Scheduled Task
• Defense Evasion / Execution: T1574.002 – DLL Side-Loading
• Exfiltration: T1567.002 – Exfiltration to Cloud Storage via Rclone
• Command & Control: T1071.001 – Web Protocols (HTTPS masquerading as API/Auth endpoints)
• Anti-Analysis: T1606 – Obfuscated/Encrypted Payloads, T1588 / T1590-ish – environment-aware delivery (GeoIP/UA checks)

Practical next step
Anyone in a potentially affected region/sector should:

• Import the full IoC set from the Unit 42 report into their SIEM/EDR
• Add behavioural rules around:
  • Those suspicious scheduled tasks
  • Side-loaded netutils.dll/dwampi.dll/wtsapi32.dll outside system paths
  • Any Rclone execution
  • Outbound traffic to the C2 domains / lookalike API/Auth domains

If you share a (redacted) log snippet or generic EDR event format, I can help translate these into more concrete filters/queries tailored to that format.