Wirte Leverages Ashenloader Sideloading To Install The Ashtag...
An advanced persistent threat (APT) known as WIRTE has been attributed to attacks targeting government and diplomatic entities across the Middle East with a previously undocumented malware suite dubbed AshTag since 2020.
Palo Alto Networks is tracking the activity cluster under the name Ashen Lepus. Artifacts uploaded to the VirusTotal platform show that the threat actor has trained its sights on Oman and Morocco, indicating an expansion in operational scope beyond the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.
"Ashen Lepus remained persistently active throughout the Israel-Hamas conflict, distinguishing it from other affiliated groups whose activities decreased over the same period," the cybersecurity company said in a report shared with The Hacker News. "Ashen Lepus continued with its campaign even after the October 2025 Gaza ceasefire, deploying newly developed malware variants and engaging in hands-on activity within victim environments."
WIRTE, which overlaps with an Arabic-speaking, politically motivated cluster known as Gaza Cyber Gang (aka Blackstem, Extreme Jackal, Molerats, or TA402), is assessed to be active since at least 2018. According to a report from Cybereason, both Molerats and APT-C-23 (aka Arid Viper, Desert Varnish, or Renegade Jackal) are two main sub-groups of the Hamas cyberwarfare division.
It's primarily driven by espionage and intelligence collection, targeting government entities in the Middle East to meet its strategic objectives.
In a report published in November 2024, Check Point attributed the hacking crew to destructive attacks exclusively aimed at Israeli entities to infect them with a custom wiper malware referred to as SameCoin, highlighting their ability to adapt and carry out both espionage and sabotage.
The long-running, elusive campaign detailed by Unit 42, going all the way back to 2018, has been found to leverage phishing emails with lures related to geopolitical affairs in the region. A recent increase in lures related to Turkey – e.g., "Partnership agreement between Morocco and Turkey" or "Draft resolutions concerning the State of Palestine" – suggests that entities in the country may be a new area of focus.
The attack chains commence with a harmless PDF decoy that tricks recipients into downloading a RAR archive from a file-sharing service. Opening the archive triggers a chain of events that results in the deployment of AshTag.
This involves using a renamed benign binary to sideload a
Source: The Hacker News
