The threat actor known as WIRTE has been linked to a campaign utilizing a previously undocumented malware suite dubbed AshTag, focusing its attacks primarily on government and diplomatic entities throughout the Middle East since 2020. This activity cluster is being tracked by Palo Alto Networks Unit 42 under the name Ashen Lepus. Evidence uploaded to the VirusTotal platform indicates a geographical expansion of the operation, now including Oman and Morocco, moving beyond its previous targeting of the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt. This suggests a persistent and wide-reaching campaign confined to these sensitive sectors within the region.
The cybersecurity firm told The Hacker News that they have identified “scores of unique lures” distributed across the Middle East, confirming the persistent and geographically extensive nature of the operation. Although more than a dozen entities are estimated to have been successfully targeted, the true number is suspected to be potentially higher. Notably, Ashen Lepus maintained consistent activity throughout the recent Israel-Hamas conflict, which sets it apart from other associated groups whose operations diminished during the same period. This indicates a high level of operational commitment, with the group deploying newly developed malware and engaging in direct activity within victim environments even after the October 2025 Gaza ceasefire.
WIRTE overlaps with the Arabic-speaking, politically motivated cluster known as Gaza Cyber Gang, which also goes by the names Blackstem, Extreme Jackal, Molerats, and TA402. This overall threat actor is assessed to have been active since at least 2018. Reports suggest that both Molerats and APT-C-23, which is also called Arid Viper, Desert Varnish, or Renegade Jackal, are considered two main subgroups of the Hamas cyberwarfare division. The primary goal of WIRTE is espionage and the collection of intelligence, targeting government entities in the Middle East to achieve its strategic objectives, highlighting a clear state-aligned agenda.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
According to Unit 42 researchers, the connection between WIRTE, or Ashen Lepus, and the broader Gaza Cyber Gang is mainly demonstrated through similarities and overlaps found in their codebases. This suggests that while these entities may operate separately, the tools they use were likely developed by closely linked groups, indicating a probable sharing of development resources. Further supporting this connection is the observed overlap in the victimology of these and other related groups. This long-running, elusive campaign tracked by Unit 42 has been found to heavily rely on phishing emails, with lures often centered on geopolitical affairs relevant to the region.
In a separate report published in November 2024, Check Point attributed the same hacking group to destructive attacks that were exclusively aimed at Israeli entities. These attacks sought to infect systems with a custom wiper malware known as SameCoin. This shows the group’s significant operational flexibility and its capability to adapt its actions to carry out both traditional espionage and more disruptive acts of sabotage. A recent increase in the use of geopolitical lures specific to Turkey—such as documents titled “Partnership agreement between Morocco and Turkey” or “Draft resolutions concerning the State of Palestine”—suggests that organizations within Turkey may be a newly developing area of focus for the threat actor.
Source: WIRTE Deploys Ashenloader Sideloading To Install The Ashtag Espionage Backdoor