An In-Depth Analysis of the Ashen Lepus AshTag-Enabled Attack

Palo Alto Networks Unit 42 tracked an Ashen Lepus (aka WIRTE) espionage campaign that deployed a new malware suite dubbed “AshTag” against Arabic-speaking government entities, noting improved operational security such as custom payload encryption, infrastructure obfuscation using legitimate subdomains, and in-memory execution to reduce forensic artifacts. The researchers extracted 10 domains and 12 malicious subdomains as IoCs, observed 430 unique client IPs communicating with those domains, and identified historical WHOIS and DNS artifacts that expanded the set of related indicators. #AshTag #AshenLepus

Keypoints

Unit 42 identified a new AshTag malware suite used by Ashen Lepus (WIRTE) in espionage targeting Arabic-speaking government entities.
The actors improved OPSEC and TTPs: enhanced custom payload encryption, infrastructure obfuscation via legitimate subdomains, and in-memory malware execution to limit forensic traces.
Researchers labeled 12 subdomains as malware distributors and extracted 10 related domains, bringing the analyzed IoCs to 22 items.
Analysis uncovered 430 unique client IP addresses that communicated with an IoC (api[.]softmatictech[.]com) via 1,687 DNS queries across two ASNs between 19 Nov and 18 Dec 2025.
Two domains were flagged by First Watch as likely to turn malicious 75–752 days before being officially identified on 11 Dec 2025 (healthylifefeed[.]com, systemsync[.]info).
WHOIS and WHOIS history queries revealed 36 unique email addresses (nine public) and 29 email-connected domains; DNS Chronicle showed 1,425 domain-to-IP resolutions for the 10 domains.

MITRE Techniques

[T1055 ] Process Injection – In-memory malware execution was used to minimize forensic artifacts (‘in-memory malware execution to minimize forensic artifacts.’)
[T1027 ] Obfuscated Files or Information – The actors enhanced custom payload encryption to hide malicious content (‘enhanced their custom payload encryption’)
[T1583.001 ] Acquire Infrastructure: Domain Registration – The campaign involved domains that were registered and some deemed likely to turn malicious well before being flagged (‘two domains identified as IoCs were deemed likely to turn malicious 75—752 days before being dubbed as such’)
[T1071.004 ] Application Layer Protocol: DNS – Heavy DNS activity was observed, including 1,687 DNS queries to api[.]softmatictech[.]com between 19 November and 18 December 2025 (‘api[.]softmatictech[.]com via 1,687 DNS queries between 19 November and 18 December 2025.’)
[T1591 ] Gather Victim Identity Information – WHOIS and WHOIS History were queried to recover email addresses and historical registrar data (‘we uncovered 36 unique email addresses in all. Upon further scrutiny, we determined that nine were public email addresses.’)
[T1590 ] Gather Victim Network Information – DNS Chronicle and DNS Lookup queries were used to map domain-to-IP resolutions and historical DNS data (‘a DNS Chronicle API query for the 10 domains identified as IoCs … showed that they recorded 1,425 domain-to-IP resolutions over time.’)

Indicators of Compromise

[Subdomains ] malware distribution – auth[.]onlinefieldtech[.]com, api[.]softmatictech[.]com, and other 10 subdomains
[Domains ] identified as IoCs and analyzed for ownership/resolutions – healthylifefeed[.]com, systemsync[.]info, and other 8 domains
[Client IP addresses ] communication with IoCs – 430 unique client IPs contacted api[.]softmatictech[.]com via 1,687 DNS queries (no raw IPs disclosed in the article)
[Malicious IP address ] single malicious IP noted – one IP address flagged as malicious (specific IP not provided)
[Email addresses / Email-connected domains ] WHOIS-harvested identifiers – 36 unique email addresses (nine public) linked to 29 email-connected domains; example domain with historical WHOIS emails: techupinfo[.]com
[Domain-to-IP resolutions ] DNS history and resolution counts – technology-system[.]com (7,702 resolutions), techupinfo[.]com (95 resolutions), and other domain-to-IP mappings totaling 1,425 resolutions