The Reveal Platform
Intel Name: Hamas-affiliated ashen lepus targets middle eastern diplomatic entities with new ashtag malware suite
Date of Scan: December 12, 2025
Impact: Medium
Summary: Ashen Lepus (aka WIRTE), an APT linked to Hamas-affiliated interests, has conducted a long-running espionage campaign against governmental and diplomatic organizations across the Middle East. The group has introduced updated versions of its custom loader to deliver a new malware family dubbed AshTag and revamped its C2 infrastructure to better evade detection by blending in with legitimate traffic. Unlike other regional groups that slowed activity during the Israel–Hamas conflict, Ashen Lepus remained active throughout and continued operations after the October 2025 ceasefire, deploying new malware variants and conducting hands-on intrusions. Recent activity reflects a notable evolution in the group’s TTPs, including stronger payload encryption, infrastructure obfuscation via legitimate subdomains, and increased use of in-memory execution to reduce forensic visibility.
