Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite

    Friday, December 12, 2025 In: Threat Research Print

    Date: 12/12/2025

    Severity: Medium

    Summary

    Ashen Lepus (aka WIRTE), an APT linked to Hamas-affiliated interests, has conducted a long-running espionage campaign against governmental and diplomatic organizations across the Middle East. The group has introduced updated versions of its custom loader to deliver a new malware family dubbed AshTag and revamped its C2 infrastructure to better evade detection by blending in with legitimate traffic. Unlike other regional groups that slowed activity during the Israel–Hamas conflict, Ashen Lepus remained active throughout and continued operations after the October 2025 ceasefire, deploying new malware variants and conducting hands-on intrusions. Recent activity reflects a notable evolution in the group’s TTPs, including stronger payload encryption, infrastructure obfuscation via legitimate subdomains, and increased use of in-memory execution to reduce forensic visibility.

    Indicators of Compromise (IOC) List

    URLs/Domains

    forum.techtg.com

    forum.technoforts.com

    api.technology-system.com

    api.healthylifefeed.com

    api.softmatictech.com

    apiv2.onlinefieldtech.com

    auth.onlinefieldtech.com

    status.techupinfo.com

    api.medicinefinders.com

    account.techupinfo.com

    api.systemsync.info

    api.widetechno.info

    Hash

    3502c9e4896802f069ef9dcdba2a7476e1208ece3cd5ced9f1c4fd32d4d0d768

    1f3bd755de24e00af2dba61f938637d1cc0fbfd6166dba014e665033ad4445c0

    4e1f7b48249dd5bf3a857d5d017f0b88c0372749fa156f5456056767c5548345

    3d445c25752f86c65e03d4ebed6d563d48a22e424ba855001ad2db2290bf564c

    7e5769cd8128033fc933fbf3346fe2eb9c8e9fc6aa683546e9573e7aa01a8b6b

    f554c43707f5d87625a3834116a2d22f551b1d9a5aff1e446d24893975c431bc

    a17858f40ff506d59b5ee1ba2579da1685345206f2c7d78cb2c9c578a0c4402b

    ebe3b6977f66be30a22c2aff9b50fec8529dfa46415ea489bd7961552868f6b5

    8870bd358d605a5685a5f9f7785b5fee5aebdcb20e4e62153623f764d7366a3c

    2d71d7e6ffecab8eefa2d6a885bcefe639fca988bdcac99e9b057e61698a1fd6

    8c44fa9bf68341c61ccaca0a3723945543e2a04d9db712ae50861e3fa6d9cc98

    f380bd95156fbfb93537f35941278778819df1629cb4c5a4e09fe17f6293b7b7

    f9816bc81de2e8639482c877a8defcaed9b15ffdce12beaef1cff3fea95999d4

    e71a292eafe0ca202f646af7027c17faaa969177818caf08569bd77838e93064

    739a5199add1d970ba22d69cc10b4c3a13b72136be6d45212429e8f0969af3dc

    b00491dc178a3d4f320951bccb17eb85bfef23e718b4b94eb597c90b5b6e0ba2

    6bd3d05aef89cd03d6b49b20716775fe92f0cf8a3c2747094404ef98f96e9376

    30490ba95c42cefcca1d0328ea740e61c26eaf606a98f68d26c4a519ce918c99

    66ab29d2d62548faeaeadaad9dd62818163175872703fda328bb1b4894f5e69e

    Task Names

    C:\Windows\System32\Tasks\Windows\WindowsDefenderUpdate\Windows Defender Updater

    C:\Windows\System32\Tasks\Windows\WindowsServicesUpdate\Windows Services Updater

    C:\Windows\System32\Tasks\Automatic Windows Update

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "api.systemsync.info" or siteurl like "api.systemsync.info" or url like "api.systemsync.info" or domainname like "apiv2.onlinefieldtech.com" or siteurl like "apiv2.onlinefieldtech.com" or url like "apiv2.onlinefieldtech.com" or domainname like "account.techupinfo.com" or siteurl like "account.techupinfo.com" or url like "account.techupinfo.com" or domainname like "api.medicinefinders.com" or siteurl like "api.medicinefinders.com" or url like "api.medicinefinders.com" or domainname like "api.softmatictech.com" or siteurl like "api.softmatictech.com" or url like "api.softmatictech.com" or domainname like "api.healthylifefeed.com" or siteurl like "api.healthylifefeed.com" or url like "api.healthylifefeed.com" or domainname like "status.techupinfo.com" or siteurl like "status.techupinfo.com" or url like "status.techupinfo.com" or domainname like "forum.techtg.com" or siteurl like "forum.techtg.com" or url like "forum.techtg.com" or domainname like "forum.technoforts.com" or siteurl like "forum.technoforts.com" or url like "forum.technoforts.com" or domainname like "api.technology-system.com" or siteurl like "api.technology-system.com" or url like "api.technology-system.com" or domainname like "auth.onlinefieldtech.com" or siteurl like "auth.onlinefieldtech.com" or url like "auth.onlinefieldtech.com" or domainname like "api.widetechno.info" or siteurl like "api.widetechno.info" or url like "api.widetechno.info"

    Detection Query 2 :

    sha256hash IN ("2d71d7e6ffecab8eefa2d6a885bcefe639fca988bdcac99e9b057e61698a1fd6","f9816bc81de2e8639482c877a8defcaed9b15ffdce12beaef1cff3fea95999d4","3502c9e4896802f069ef9dcdba2a7476e1208ece3cd5ced9f1c4fd32d4d0d768","f380bd95156fbfb93537f35941278778819df1629cb4c5a4e09fe17f6293b7b7","4e1f7b48249dd5bf3a857d5d017f0b88c0372749fa156f5456056767c5548345","b00491dc178a3d4f320951bccb17eb85bfef23e718b4b94eb597c90b5b6e0ba2","7e5769cd8128033fc933fbf3346fe2eb9c8e9fc6aa683546e9573e7aa01a8b6b","f554c43707f5d87625a3834116a2d22f551b1d9a5aff1e446d24893975c431bc","a17858f40ff506d59b5ee1ba2579da1685345206f2c7d78cb2c9c578a0c4402b","1f3bd755de24e00af2dba61f938637d1cc0fbfd6166dba014e665033ad4445c0","8c44fa9bf68341c61ccaca0a3723945543e2a04d9db712ae50861e3fa6d9cc98","ebe3b6977f66be30a22c2aff9b50fec8529dfa46415ea489bd7961552868f6b5","6bd3d05aef89cd03d6b49b20716775fe92f0cf8a3c2747094404ef98f96e9376","3d445c25752f86c65e03d4ebed6d563d48a22e424ba855001ad2db2290bf564c","8870bd358d605a5685a5f9f7785b5fee5aebdcb20e4e62153623f764d7366a3c","e71a292eafe0ca202f646af7027c17faaa969177818caf08569bd77838e93064","739a5199add1d970ba22d69cc10b4c3a13b72136be6d45212429e8f0969af3dc","30490ba95c42cefcca1d0328ea740e61c26eaf606a98f68d26c4a519ce918c99","66ab29d2d62548faeaeadaad9dd62818163175872703fda328bb1b4894f5e69e")

    Detection Query 3 :

    resourcename = "Windows Security" and eventtype = "4698" and filename IN ("C:\Windows\System32\Tasks\Windows\WindowsDefenderUpdate\Windows Defender Updater","C:\Windows\System32\Tasks\Windows\WindowsServicesUpdate\Windows Services Updater","C:\Windows\System32\Tasks\Automatic Windows Update")

    Detection Query 4 :

    technologygroup = "EDR" and filename IN ("C:\Windows\System32\Tasks\Windows\WindowsDefenderUpdate\Windows Defender Updater","C:\Windows\System32\Tasks\Windows\WindowsServicesUpdate\Windows Services Updater","C:\Windows\System32\Tasks\Automatic Windows Update")

    Reference:    

    https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/


    Tags

    MalwareThreat ActorAshTagAshen LepusAPTThe Middle EastGovernment Services and FacilitiesCyber EspionageIsrael

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.