AshTag
AshTag is a modular, multi-stage .NET malware suite/backdoor used for cyber-espionage and attributed by Palo Alto Networks Unit 42 to the Hamas-affiliated threat group Ashen Lepus, also tracked as WIRTE. It has been used in campaigns targeting government and diplomatic entities across the Middle East, including the Palestinian Authority, Egypt, Jordan, Oman, and Morocco, with the stated objective of stealing sensitive diplomatic documents and maintaining long-term access to compromised systems.
The infection chain described in the source material uses spear-phishing and diplomatic-themed Arabic-language lures. Victims are led to download a RAR archive containing a fake document executable, a malicious loader, and a decoy PDF. Execution relies on DLL sideloading: the fake document launches a hidden malicious DLL while opening a harmless PDF to reduce suspicion. The malware suite is composed of AshenLoader, AshenStager, and AshenOrchestrator. AshenLoader sends host data to C2 and retrieves the next stage from HTML content; AshenStager extracts a Base64-encoded payload embedded in HTML tags; and AshenOrchestrator manages communications, decrypts configuration and payload data, and loads additional modules. The framework emphasizes stealth through in-memory execution, encrypted and Base64-encoded payloads hidden in web pages, and C2 infrastructure that blends with legitimate-looking traffic, including API-style subdomains such as api.healthylifefeed[.]com and auth.onlinefieldtech[.]com.
Reported capabilities include persistence, remote command execution, file theft/exfiltration, downloading additional content, loading .NET assemblies in memory, and installing add-on modules. AshTag masquerades as a legitimate VisualServer utility. Documented modules include system fingerprinting via WMI and screen capture; one recovered module collects a victim UUID from Win32_ComputerSystemProduct and sends a unique victim ID to the operators. The malware’s configuration reportedly contains C2 domains, module URLs, encryption keys, and jitter values. Unit 42 also observed hands-on-keyboard collection activity associated with this intrusion set, including theft of diplomacy-related documents and staging/exfiltration activity. Overall, the content describes AshTag as an evolved espionage platform reflecting improved operational security and modular tradecraft by Ashen Lepus/WIRTE.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Ashen Lepus deployed AshTag and AshenLoader targeting Palestine, Egypt, Jordan, Oman, and Morocco.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniquePersistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueThe content repeatedly describes adversaries using Base64, XOR, RC4, AES, hexadecimal encoding, string encryption, code flattening, custom crypters, and other obfuscation methods to hide payloads, strings, configuration data, URLs, and scripts.
Command and Control
1 techniqueThe content repeatedly describes threat actors, malware, and campaigns using HTTP, HTTPS, HTTP GET/POST, cookies in headers, WebSockets/WSS, and web APIs for command and control or related communications.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2. Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers. AppleSeed can exfiltrate files via the C2 channel.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware deployed by Ashen Lepus in regional targeting operations.
Espionage backdoor used by WIRTE (Ashen Lepus) since 2020; delivered via AshenLoader sideloading per referenced title.
A modular, multi-stage malware suite designed for persistence, adaptability, and operational longevity, used by the Ashen Lepus threat group. It demonstrates professional-grade malware development and operational security.
AshTag is a modular backdoor used for espionage, delivered via DLL-sideloading chains, and is part of a toolkit used by the Hamas-affiliated Ashen Lepus (WIRTE) group for targeting Middle Eastern diplomatic entities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.