{ "id": "9257a4f3-4adc-443b-b05b-8cf178b8dd3b", "created_at": "2026-04-06T00:08:56.546653Z", "updated_at": "2026-04-10T13:12:32.575615Z", "deleted_at": null, "sha1_hash": "8a6d1cac860155b54e5793373fdce8f8bcb630bf", "title": "Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1831961, "plain_text": "Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic\r\nEntities With New AshTag Malware Suite\r\nBy Unit 42\r\nPublished: 2025-12-11 · Archived: 2026-04-05 14:26:54 UTC\r\nExecutive Summary\r\nIn recent months, we have been analyzing the activity of an advanced persistent threat (APT) known for its\r\nespionage activities against Arabic-speaking government entities. We track this Middle Eastern threat actor as\r\nAshen Lepus (aka WIRTE).\r\nWe share details of a long-running, elusive espionage campaign targeting governmental and diplomatic entities\r\nthroughout the Middle East. We discovered that the group has created new versions of their previously\r\ndocumented custom loader, delivering a new malware suite that we have named AshTag. The group has also\r\nupdated their command and control (C2) architecture to evade analysis and blend in with legitimate internet\r\ntraffic.\r\nAshen Lepus remained persistently active throughout the Israel-Hamas conflict, distinguishing it from other\r\naffiliated groups whose activities decreased over the same period. Ashen Lepus continued with its campaign even\r\nafter the October 2025 Gaza ceasefire, deploying newly developed malware variants and engaging in hands-on\r\nactivity within victim environments.\r\nThis campaign highlights a tangible evolution in Ashen Lepus's operational security and tactics, techniques and\r\nprocedures (TTPs). While its operations over the years have demonstrated only moderate sophistication, the group\r\nhas recently adopted more advanced tactics that include:\r\nEnhanced custom payload encryption\r\nInfrastructure obfuscation using legitimate subdomains\r\nIn-memory execution to minimize forensic artifacts\r\nPalo Alto Networks customers are better protected from the threats described in this article through the following\r\nproducts and services:\r\nAdvanced WildFire\r\nAdvanced URL Filtering and Advanced DNS Security\r\nCortex XDR and XSIAM\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nAshen Lepus Background\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 1 of 13\n\nWe investigated a campaign waged by a Hamas-affiliated threat group that has been active since 2018. Their\r\noperations focus on cyber-espionage and intelligence collection, targeting government entities across the Middle\r\nEast.\r\nWe attribute this activity with high confidence to Ashen Lepus. Our attribution is based on Unit 42's Attribution\r\nFramework, and takes into account the network infrastructure, modus operandi and malware that the group has\r\nused throughout their campaigns. The attribution artifacts are detailed in Appendix A.\r\nAshen Lepus Ops: Victimology and Motivation\r\nAshen Lepus is known for targeting entities in close geographical proximity, such as the Palestinian Authority,\r\nEgypt and Jordan. Recent campaigns show a significant expansion in operational scope – according to recent\r\nuploads to VirusTotal, the group is now targeting entities in other Arabic-speaking nations, including Oman and\r\nMorocco.\r\nDespite the broader geographic footprint seen in their recent attacks, the group's lure themes remain largely\r\nconsistent. The majority of lure themes continue to relate to Middle East geopolitical affairs, mainly those\r\ninvolving the Palestinian Territories. However, the current campaign shows an increase in lures related to Turkey\r\nand its relationship with the Palestinian administration. Table 1 details these themes.\r\nLure Theme Machine Translation\r\nوتركيا المغرب بني الشراكة اتفاقية Partnership agreement between Morocco and Turkey\r\nوزير الدفاع الرتكي غرينا اسرتاتيجيتنا في 1302\r\nمكافحة التنظيمات االرهابية\r\n1302 Turkish Minister of Defense We changed our strategy in\r\ncombating terrorist organizations\r\nأنباء عن تدريب عناصر من حماس في سوريا تحديدا\r\nفي الجنوب بدعم تركي\r\nReports of Hamas elements training in Syria, specifically in the\r\nsouth, with Turkish support\r\nتقرير عن مقرتح حماس لتوحيد السالح الفلسطيين\r\nتحت مظلة السلطة\r\nReport on Hamas's proposal to unify Palestinian arms under the\r\numbrella of the Authority\r\nللغاية سري فلسطني بدولة الخاصة القرارات مشاريع Draft resolutions concerning the State of Palestine Top Secret\r\nTable 1. Lure themes used in a recent Ashen Lepus campaign.\r\nBreaking Down Ashen Lepus’s Recent Campaign Developments\r\nDecoy Archive Analysis\r\nSince at least 2020 [PDF], Ashen Lepus has employed a consistent, multi-stage infection chain delivering a new\r\nmalware suite that we call AshTag. The chain typically starts with a benign PDF decoy file that guides targets to a\r\nfile-sharing service to download a RAR archive containing a malicious payload. Figure 1 shows two lure\r\nexamples, relating to discussions conducted by the League of Arab States and United Nations Security Council.\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 2 of 13\n\nFigure 1. Lure examples presented to targets.\r\nDownloading and opening the RAR archive initiates the chain of events that leads to an infection. This infection\r\ninvolves the following three files:\r\nA binary file masquerading as a sensitive or political document\r\nA malicious loader, which runs in the background\r\nAn additional decoy PDF file named Document.pdf\r\nWhen the targeted individual runs the binary in order to read the article, the binary side-loads the first malicious\r\nloader (netutils.dll), which in turn opens the decoy PDF file for viewing. Figure 2 illustrates the initial infection\r\nchain in Cortex XDR, showing alerts triggered by the Windows executables responsible for DLL side-loading and\r\npersistence.\r\nFigure 2. AshTag's initial infection chain and persistence, as seen in Cortex XDR.\r\nC2 Architecture Evolution\r\nComparing this campaign with past campaigns shows that there has been a change in the group's C2 domain\r\nnaming convention. Instead of hosting its C2 servers on its own domains, the group now registers new API and\r\nauthentication-related subdomains of legitimate domains. This change is part of the group’s shift to adopt better\r\noperational security (OpSec), and helps its activity blend in with benign network activity. The domains often have\r\ntechnology or medical themes, such as api[.]healthylifefeed[.]com, api[.]softmatictech[.]com and\r\nauth[.]onlinefieldtech[.]com.\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 3 of 13\n\nWe also observed a clear separation between different servers for different tools within the execution chain. The\r\ndomains have varying formats and are hosted in multiple autonomous system numbers (ASNs). Since the servers\r\nare geofenced, automatic analysis tools cannot execute the entire chain to link between the different stages.\r\nIn this campaign, the group took several cautionary measures to avoid detection and analysis. For instance, the\r\nsecondary payloads are embedded within HTML tags of a seemingly benign webpage. Also, the C2 server\r\nperforms initial checks on the victim's endpoint, to avoid sending the payload to sandbox environments. The\r\nserver checks the victim’s geolocation, and checks specific User-Agent strings in the traffic that are unique to the\r\nmalware.\r\nThe New AshTag Malware Suite and Campaign Evolution\r\nThe AshTag campaign marks a significant upgrade to the group's traditional tooling. In previous campaigns, the\r\nactors did not deliver a full payload, and instead terminated the parent process using a simple .NET DLL. We\r\nassess that previous campaigns observed in the wild were a testing phase in the development of the attack chain.\r\nHowever, in this campaign, Ashen Lepus is deploying a more sophisticated, fully featured malware suite, which\r\nwe have named AshTag. Unit 42 designates the name “Lepus” to threat groups associated with the Palestinian\r\nTerritories, and we labeled the malware components “Ash” to reflect the basic, gritty attack resources that\r\naccumulate to choke system defenses, allowing the full attack to take hold.\r\nAshTag is a modular .NET toolset currently in active development, with extensive features, including file\r\nexfiltration, content download and in-memory execution of additional modules.\r\nThe AshTag infection chain unfolds as follows:\r\nA targeted victim clicks the binary file, expecting to open a document.\r\nThe binary file side-loads a DLL in the background. This DLL is the first malicious loader, which we call\r\nAshenLoader.\r\nAshenLoader opens the decoy PDF document on the desktop.\r\nIn the background, AshenLoader retrieves and runs another side-loaded DLL: a stager that we call\r\nAshenStager.\r\nAshenStager retrieves and runs the AshTag payload.\r\nAshenStager also sets its persistence via a scheduled task, executed by svchost.exe.\r\nFigure 3 depicts the complete attack chain.\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 4 of 13\n\nFigure 3. The full AshTag Malware infection chain.\r\nInitial Loader Execution Flow\r\nWhen AshenLoader is executed, it tries to collect and send initial reconnaissance data to the attacker’s C2 server.\r\nThe AshenStager payload is embedded within the C2’s webpage, between the custom \u003cheaderp\u003e HTML tags – an\r\nembedding method that has been documented in the past. In addition to these similarities, we identified new\r\nfeatures of AshenLoader, described in Appendix B.\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 5 of 13\n\nAshenLoader retrieves and executes a stager that we dub AshenStager. In past campaigns, this stager was named\r\nStager-X64, following its internal naming by the attackers. We now track AshenStager as part of the AshTag\r\nmalware suite. AshenStager is side-loaded by a legitimate executable paired with a malicious custom DLL, named\r\nwtsapi32.dll.\r\nAshenStager is designed to send an HTTP request to its C2 server, where it parses the HTML response to extract\r\nanother encrypted payload that is hidden within \u003carticle\u003e tags. After extracting the payload, AshenStager decodes,\r\nparses and injects the payload in memory. The final payload in this chain is a malware suite, which is orchestrated\r\nby a tool that we call AshenOrchestrator. Figure 4 shows the orchestrator’s Base64-encoded payload embedded in\r\nHTML content from the C2 server.\r\nFigure 4. AshenOrchestrator’s Base64-encoded payload embedded within the article HTML tags.\r\nAshTag Malware Suite\r\nAshTag is a modular .NET backdoor designed for stealthy persistence and remote command execution. AshTag\r\nmasquerades as a legitimate VisualServer utility to evade suspicion. In reality, this backdoor is a multi-feature\r\nmalware suite that uses AshenOrchestrator to conduct communication and to execute other payloads in memory.\r\nWhen AshenStager retrieves AshenOrchestrator’s payload, the stager receives a Base64-encoded JSON file. The\r\nJSON file contains the payload and the payload’s configuration. The configuration contains parameters such as\r\nspecific URL paths that lead to different modules, encryption keys and the C2 domain. The configuration also\r\nincludes sleep time buffers (jitter), mn and mx, which are used to avoid detection of the C2 beaconing. Figure 5\r\nshows an example of such a configuration.\r\nFigure 5. Decoded AshenOrchestrator configuration.\r\nLike most of the tools used in this campaign, AshenOrchestrator extracts its next payload from embedded HTML\r\ntags. However, in this instance, the payload is even more well hidden. Instead of using a hardcoded tag name, the\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 6 of 13\n\nstager searches for a specific commented-out tag within the HTML page that contains the relevant tag name.\r\nFigure 6 demonstrates the payload embedding scheme.\r\nFigure 6. AshTag module decoding process.\r\nAshenOrchestrator creates a unique AES key from the tg and au parameters, and decrypts the xrk XOR encryption\r\nkey. The decrypted XOR key is then used to decrypt the embedded HTML value that contains the payload. The\r\npayload itself is a specific module contained in another Base64-encoded JSON that has additional configuration\r\nparameters. These parameters determine the module’s loading method name (mna) and class name (cn). Table 2\r\nlists the different class names that AshenOrchestrator expects and their inferred functionalities.\r\nClass Name (cn) Inferred Purposes\r\nPR1, PR2, PR3\r\nPersistence\r\nProcess Management\r\nUN1, UN2, UN3\r\nUninstall\r\nUpdate\r\nRemoval\r\nSCT Screen Capture \r\nFE\r\nFile Explorer\r\nFile Management\r\nSN System Fingerprinting \r\nTable 2. Different Ashen modules and their inferred purposes.\r\nThe mna value dictates the action that AshenOrchestrator performs for each module that it retrieves. There are\r\nfour possible actions:\r\nUpload additional content\r\nDownload the module to disk\r\nExecute the module as a .NET assembly\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 7 of 13\n\nInject the module into memory\r\nAnalyzing the injection method revealed that its code was not actually implemented, and only returned false,\r\nindicating that certain aspects of the AshTag malware suite are still in active development.\r\nRetrieving the different modules for analysis was a complicated task, in part because Ashen Lepus appears to be\r\nactively rotating the modules that are hidden within webpage content. This would explain why not all modules are\r\navailable at the same time. In addition, we found that different encryption keys open different types of modules.\r\nDespite these complicating factors, we were able to retrieve one of the modules responsible for system\r\nfingerprinting – internally named the SN module. The module is an extremely simple .NET program that executes\r\nWMI queries and sends a unique victim ID back to the attackers. Figure 7 shows the main function of the SN\r\nmodule.\r\nFigure 7. Code from the SN fingerprinting module.\r\nWe identified the threat actor’s operations in our telemetry, which indicated that they used additional modules to\r\nstage and exfiltrate files.\r\nAshen Lepus's Hands-On Activity\r\nFollowing the initial automated infection, the threat actor accessed the compromised system to conduct hands-on\r\ndata theft. A few days after the original infection, the attackers loaded a custom module via AshenOrchestrator and\r\nbegan staging specific documents in the C:\\Users\\Public folder.\r\nOur analysis indicates that the threat actor downloaded these documents directly from a victim’s mail accounts,\r\nrevealing the group’s main objective: obtaining specific, diplomacy-related documents. This aligns with past\r\nreports of the group’s practice of obtaining intelligence relating to regional geopolitical conflicts.\r\nTo exfiltrate the staged files, Ashen Lepus downloaded the Rclone open-source tool, transferring the data to an\r\nattacker-controlled server. This appears to be the first time this threat group has been observed using Rclone for\r\ndata exfiltration. In doing so, Ashen Lepus joins a growing number of actors who leverage legitimate file transfer\r\ntools to blend their malicious activity with benign network traffic and avoid detection.\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 8 of 13\n\nConclusion\r\nAshen Lepus remains a persistent espionage actor, demonstrating a clear intent to continue its operations\r\nthroughout the recent regional conflict – unlike other affiliated threat groups, whose activity significantly\r\ndecreased. The threat actors’ activities throughout the last two years in particular highlight their commitment to\r\nconstant intelligence collection.\r\nDuring this campaign, Ashen Lepus has begun to deliver its new malware suite, AshTag. AshTag is a modular\r\n.NET suite, capable of data exfiltration, command execution and in-memory payload execution.\r\nWhile the group's core TTPs are not highly sophisticated, this campaign reveals an evolution in its approach. We\r\nobserved a clear effort to improve operational security by enhancing payload encryption, shifting infrastructure to\r\ninnocent-looking subdomains and executing payloads in memory. This \"low-cost, high-impact\" methodology\r\nallows the threat actors to effectively evade static defenses and thwart analysis.\r\nThe expansion of Ashen Lepus’s victimology beyond their traditional geographic targets, coupled with new lure\r\nthemes, suggests a broadening of its operational scope. We assess that Ashen Lepus will continue to adapt its\r\ntoolset and targeting to pursue its geopolitical intelligence objectives. Organizations in the Middle East,\r\nparticularly in the governmental and diplomatic sectors, should remain vigilant against this evolving threat.\r\nPalo Alto Networks customers are better protected from the threats described in this article through the following\r\nproducts and services:\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated\r\nin light of the indicators shared in this research.\r\nAdvanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with\r\nthis activity as malicious.\r\nCortex XDR and XSIAM\r\nCortex XDR helps to prevent the threats described in this blog, by employing the Malware\r\nPrevention Engine. This approach combines several layers of protection, including Advanced\r\nWildFire, Behavioral Threat Protection and the Local Analysis module, to help prevent both known\r\nand unknown malware from causing harm to endpoints.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 000 800 050 45107\r\nSouth Korea: +82.080.467.8774\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 9 of 13\n\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 Hashes of Malware Samples\r\nRAR Archives\r\n3502c9e4896802f069ef9dcdba2a7476e1208ece3cd5ced9f1c4fd32d4d0d768\r\n1f3bd755de24e00af2dba61f938637d1cc0fbfd6166dba014e665033ad4445c0\r\n4e1f7b48249dd5bf3a857d5d017f0b88c0372749fa156f5456056767c5548345\r\n3d445c25752f86c65e03d4ebed6d563d48a22e424ba855001ad2db2290bf564c\r\n7e5769cd8128033fc933fbf3346fe2eb9c8e9fc6aa683546e9573e7aa01a8b6b\r\nAshenLoader Variant #1\r\nf554c43707f5d87625a3834116a2d22f551b1d9a5aff1e446d24893975c431bc - dwampi.dll\r\na17858f40ff506d59b5ee1ba2579da1685345206f2c7d78cb2c9c578a0c4402b - dwampi.dll\r\nebe3b6977f66be30a22c2aff9b50fec8529dfa46415ea489bd7961552868f6b5 - dwampi.dll\r\n8870bd358d605a5685a5f9f7785b5fee5aebdcb20e4e62153623f764d7366a3c - dwampi.dll\r\n2d71d7e6ffecab8eefa2d6a885bcefe639fca988bdcac99e9b057e61698a1fd6 - dwampi.dll\r\n8c44fa9bf68341c61ccaca0a3723945543e2a04d9db712ae50861e3fa6d9cc98 - wtsapi32.dll\r\nf380bd95156fbfb93537f35941278778819df1629cb4c5a4e09fe17f6293b7b7 - wtsapi32.dll\r\nAshenLoader Variant #2\r\nf9816bc81de2e8639482c877a8defcaed9b15ffdce12beaef1cff3fea95999d4 - srvcli.dll\r\ne71a292eafe0ca202f646af7027c17faaa969177818caf08569bd77838e93064 - srvcli.dll\r\n739a5199add1d970ba22d69cc10b4c3a13b72136be6d45212429e8f0969af3dc - netutils.dll\r\nb00491dc178a3d4f320951bccb17eb85bfef23e718b4b94eb597c90b5b6e0ba2 - netutils.dll\r\nAshenStager\r\n6bd3d05aef89cd03d6b49b20716775fe92f0cf8a3c2747094404ef98f96e9376 - wtsapi32.dll\r\nAshenOrchestrator\r\n30490ba95c42cefcca1d0328ea740e61c26eaf606a98f68d26c4a519ce918c99\r\nAshTag Module Designated as \"SN\"\r\n66ab29d2d62548faeaeadaad9dd62818163175872703fda328bb1b4894f5e69e\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 10 of 13\n\nAES Keys and Nonce\r\nAshenLoader Variant #1\r\nKey: {9a 20 51 98 4a 2b b1 76 ef 98 87 e3 be 87 f9 ca 44 ba 8c 19 a8 ef ba 55 62 98 e1 2a 39 21 ea 8b}\r\nNonce: {44 ba 8c 19 a8 ef ba 55 62 98 e1 2a 39 21 ea 8b}\r\nAshenLoader Variant #2\r\nKey: {60 3d eb 10 15 ca 71 be 2b 73 ae f0 85 7d 77 81 1f 35 2c 07 3b 61 08 d7 2d 98 10 a3 09 14 df f4}\r\n(generic default key)\r\nNonce: {f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff} (generic default nonce)\r\nAshenStager XOR Key: msasn1.dll\r\nC2 Domains\r\nBackdoor\r\nforum.techtg[.]com\r\nforum.technoforts[.]com\r\nExfiltration Server\r\napi.technology-system[.]com\r\nLoaders Variant #1\r\napi.healthylifefeed[.]com\r\napi.softmatictech[.]com\r\napiv2.onlinefieldtech[.]com\r\nauth.onlinefieldtech[.]com\r\nstatus.techupinfo[.]com\r\napi.medicinefinders[.]com\r\naccount.techupinfo[.]com\r\nLoaders Variant #2\r\napi.systemsync[.]info\r\napi.widetechno[.]info\r\nScheduled Task Names\r\nC:\\Windows\\System32\\Tasks\\Windows\\WindowsDefenderUpdate\\Windows Defender Updater\r\nC:\\Windows\\System32\\Tasks\\Windows\\WindowsServicesUpdate\\Windows Services Updater\r\nC:\\Windows\\System32\\Tasks\\Automatic Windows Update\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 11 of 13\n\nAppendix A: Attribution\r\nOur assessment utilizes the Unit 42 Attribution Framework, which provides a systematic, evidence-based\r\nmethodology to connect observed malicious activity to specific threat groups. This approach moves beyond\r\nsubjective assessments, allowing us to rigorously evaluate multiple dimensions of threat data, including TTPs,\r\ntooling, OpSec, network infrastructure and victimology.\r\nTactics, Techniques and Procedures (TTPs)\r\nThere is a significant overlap between this campaign and Ashen Lepus’s established modus operandi. The group\r\nconsistently crafts lures written in Arabic that focus on the developing political and military situation in the\r\nMiddle East, with a specific emphasis on the Palestinian Territories.\r\nWhile public reporting on the group's post-compromise activity is limited, the hands-on espionage actions\r\nobserved in this incident – specifically, the targeted theft of diplomatic documents – strongly correlate with the\r\ngroup's known intelligence collection interests and sophistication level.\r\nInfrastructure Overlaps\r\nWe identified clear infrastructure overlaps with historic reporting on the group. Specifically, the URL structure\r\nobserved in this campaign aligns with findings from Check Point. For example, the URL cited in their report has\r\nthe same subdomain naming scheme and URL parameter structure that we observed in previous loader versions\r\n(api/v1.0/account?token=):\r\nhxxps://support-api[.]financecovers[.]com/api/v1.0/account?token={encrypted_recon_data}\r\nA similar URL was also documented in OWN Security's report:\r\nhxxps://cdn[.]techpointinfo[.]com/api/v1.0/account?token={encrypted_recon_data}\r\nMalware Artifacts\r\nAnalysis of the loader reveals key features consistent with previous campaigns from this group, as documented by\r\nCheck Point. Notably, the loader continues to embed next-stage payloads within HTML tags of seemingly benign\r\nwebpages and utilizes similarly structured execution lures to initiate the infection chain. The group also uses the\r\nsame file names for their payloads – both their SharpStage .NET backdoor and previous versions of their loader\r\nwere named wtsapi32.dll.\r\nAppendix B: The Development of New Loader Versions\r\nAshenLoader is a possible evolution of the group's previous IronWind loader. Throughout 2025, Ashen Lepus was\r\nactively tweaking AshenLoader, which for the most part retained the same functionality. In addition to\r\nAshenLoader’s ability to communicate to the C2 server to download and execute additional payloads, the\r\nfollowing features were updated:\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 12 of 13\n\nEncryption algorithm: The threat actors implemented an AES-CTR-256 cipher in versions of the malware\r\nthat they compiled from early to late 2025, in contrast to the TEA algorithm mentioned in previous\r\nresearch. In samples that were compiled from mid to late 2025, the actors modified the encryption key and\r\ncounter value (nonce) values. In both variants, the nonce and AES keys are hardcoded into the binaries.\r\nFingerprinting additional data from infected endpoints: The new variants provide the threat actors with\r\nmore detailed information about the infected endpoint than previous versions – such as listing files under\r\nthe ProgramFiles directory.\r\nURI updates: Variants discussed in previous public research used the token parameter sent in the initial\r\nbeaconing GET request. The earlier 2025 variants shifted toward using id= and q= parameters. Late 2025\r\nvariants then changed the scheme again and started using auth=. Additionally, part of the URI changed\r\nfrom /v1/ to /v2/.\r\nAlthough these features do not significantly change the loader’s functionality, they are simple and effective ways\r\nto avoid static detection engines.\r\nSource: https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nhttps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/" ], "report_names": [ "hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag" ], "threat_actors": [ { "id": "b14cd6df-3108-4839-8a2d-52eb2f8ce9c8", "created_at": "2022-10-25T15:50:23.798666Z", "updated_at": "2026-04-10T02:00:05.255838Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "WIRTE" ], "source_name": "MITRE:WIRTE", "tools": [ "LitePower", "Ferocious" ], "source_id": "MITRE", "reports": null }, { "id": "7800d05d-e713-4a4f-9b4f-0b960fb82c9d", "created_at": "2023-11-14T02:00:07.079123Z", "updated_at": "2026-04-10T02:00:03.444083Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "Ashen Lepus" ], "source_name": "MISPGALAXY:WIRTE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bad0c51-0d2b-4f04-b355-f88c960db813", "created_at": "2025-08-07T02:03:24.546734Z", "updated_at": "2026-04-10T02:00:03.691101Z", "deleted_at": null, "main_name": "ALUMINUM THORN", "aliases": [ "Frankenstein ", "WIRTE " ], "source_name": "Secureworks:ALUMINUM THORN", "tools": [ "FruityC2", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434136, "ts_updated_at": 1775826752, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8a6d1cac860155b54e5793373fdce8f8bcb630bf.pdf", "text": "https://archive.orkl.eu/8a6d1cac860155b54e5793373fdce8f8bcb630bf.txt", "img": "https://archive.orkl.eu/8a6d1cac860155b54e5793373fdce8f8bcb630bf.jpg" } }