Executive Summary

Unit 42 has identified an ongoing cyber-espionage campaign conducted by Ashen Lepus, a Hamas-affiliated Advanced Persistent Threat (APT) group also tracked as WIRTE. The campaign targets governmental and diplomatic organizations across the Middle East using a newly developed malware suite called AshTag. This new toolset, written in .NET, demonstrates a marked improvement in the group's technical capabilities and operational security. The threat actor has evolved from moderately sophisticated to employing advanced techniques such as in-memory payload execution and stronger encryption to maintain a low profile and achieve its intelligence-gathering objectives.

Threat Overview

Ashen Lepus has a history of targeting entities in the Middle East for espionage purposes. This latest campaign continues that focus, specifically targeting diplomatic and government networks. The group's methodology has been described as "low-cost, high-impact," but recent activity shows a clear investment in developing more resilient and evasive tools. The campaign has persisted even after the October 2025 Gaza ceasefire, indicating a long-term strategic commitment to its intelligence-gathering mission.

Technical Analysis

AshTag is a modular malware suite that provides the attackers with a flexible platform for post-compromise activities. Its core components are written in .NET, a common choice for malware developers due to its power and versatility.

Key features and TTPs include:

• Modular Architecture: AshTag consists of multiple tools that can be deployed as needed, including modules for command execution, data exfiltration, and reconnaissance.
• In-Memory Execution: The group has been observed executing payloads directly in memory (T1055 - Process Injection). This is a fileless malware technique that helps evade detection by traditional antivirus software that relies on scanning files on disk.
• Enhanced Encryption: The malware's custom payloads now feature stronger encryption, making it more difficult for defenders to analyze network traffic and reverse-engineer the malware.
• C2 Obfuscation: Ashen Lepus is using legitimate-looking subdomains for its command-and-control (C2) infrastructure (T1568.002 - Domain Generation Algorithms). This helps C2 traffic blend in with normal network activity and bypass domain-based blocklists.
• Hands-on Activity: The group engages in hands-on-keyboard activity within compromised environments, allowing them to adapt their tactics based on the specific network they have infiltrated.

Impact Assessment

The primary goal of the Ashen Lepus campaign is espionage. A successful intrusion into a governmental or diplomatic network could lead to the theft of highly sensitive information, including political strategies, negotiation positions, intelligence data, and personal information of government officials. This stolen data could provide a significant strategic advantage to Hamas and its sponsors. The group's improved TTPs increase the likelihood of a successful, long-term compromise, as they are better able to evade detection and maintain persistence.

IOCs

No specific IOCs were provided in the source reports.

Cyber Observables for Detection

• .NET Processes: Monitor for suspicious or unsigned .NET processes running in memory, especially those originating from non-standard applications like Microsoft Office documents.
• Network Traffic: Look for connections to newly registered or unusual subdomains, particularly from sensitive government systems.
• PowerShell Activity: APT groups frequently use PowerShell for in-memory execution and lateral movement. Monitor for suspicious PowerShell commands and scripts (T1059.001).

Detection & Response

Detecting an evolving threat like Ashen Lepus requires a defense-in-depth strategy.

1. Endpoint Detection and Response (EDR): Deploy an EDR solution capable of detecting fileless malware techniques like in-memory execution and process injection. This aligns with D3FEND Process Analysis.
2. Network Traffic Analysis: Use network security monitoring tools to analyze traffic for anomalies. Create alerts for connections to suspicious or newly created domains. Implementing D3FEND SSL/TLS Inspection is crucial for spotting malicious payloads in encrypted traffic.
3. Threat Hunting: Proactively hunt for signs of compromise based on the group's known TTPs. This could include searching for specific command-line patterns, suspicious scheduled tasks, or unusual .NET assembly loads.

Mitigation

1. Email Security: As phishing is a common initial access vector for such groups, implement robust email security controls to block malicious attachments and links.
2. Application Whitelisting: Use application control solutions to prevent the execution of unauthorized .NET assemblies and other payloads.
3. Network Segmentation: Segment networks to limit an attacker's ability to move laterally from a compromised workstation to a critical server. This is a key principle of D3FEND Network Isolation.
4. Endpoint Hardening: Harden endpoints by restricting the use of scripting languages like PowerShell where not explicitly needed and ensuring systems are fully patched.