{ "name": "Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite", "slug": "hamas-affiliated-ashen-lepus-targets-middle-eastern-diplomatic-entities-with-new-ashtag-malware-suite", "description": "The report details a long-running espionage campaign by Ashen Lepus, a Hamas-affiliated threat group, targeting governmental and diplomatic entities in the Middle East. The group has developed a new malware suite called AshTag, which includes enhanced custom payload encryption, infrastructure obfuscation, and in-memory execution. Ashen Lepus has expanded its targeting beyond traditional geographic boundaries, now including entities in Oman and Morocco. The AshTag malware suite employs a multi-stage infection chain, utilizing decoy PDFs and RAR archives to deliver its payloads. The group has also updated its C2 architecture to evade detection and blend with legitimate traffic.", "published": "2025-12-11T11:06:23+00:00", "created_at": "2025-12-11T11:06:23+00:00", "modified_at": "2025-12-21T17:59:16+00:00", "created_at_opencti": "2025-12-11T11:06:23+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-12-11", "ashenloader", "ashenorchestrator", "ashenstager", "ashtag", "diplomatic", "espionage", "governmental", "hamas" ], "related_entities": { "observables": [ { "id": "", "name": "8870bd358d605a5685a5f9f7785b5fee5aebdcb20e4e62153623f764d7366a3c" }, { "id": "", "name": "7e5769cd8128033fc933fbf3346fe2eb9c8e9fc6aa683546e9573e7aa01a8b6b" }, { "id": "", "name": "f554c43707f5d87625a3834116a2d22f551b1d9a5aff1e446d24893975c431bc" }, { "id": "", "name": "739a5199add1d970ba22d69cc10b4c3a13b72136be6d45212429e8f0969af3dc" }, { "id": "", "name": "4e1f7b48249dd5bf3a857d5d017f0b88c0372749fa156f5456056767c5548345" }, { "id": "", "name": "66ab29d2d62548faeaeadaad9dd62818163175872703fda328bb1b4894f5e69e" }, { "id": "", "name": "2d71d7e6ffecab8eefa2d6a885bcefe639fca988bdcac99e9b057e61698a1fd6" }, { "id": "", "name": "30490ba95c42cefcca1d0328ea740e61c26eaf606a98f68d26c4a519ce918c99" }, { "id": "", "name": "6bd3d05aef89cd03d6b49b20716775fe92f0cf8a3c2747094404ef98f96e9376" }, { "id": "", "name": "3502c9e4896802f069ef9dcdba2a7476e1208ece3cd5ced9f1c4fd32d4d0d768" }, { "id": "", "name": "e71a292eafe0ca202f646af7027c17faaa969177818caf08569bd77838e93064" }, { "id": "", "name": "f380bd95156fbfb93537f35941278778819df1629cb4c5a4e09fe17f6293b7b7" }, { "id": "", "name": "8c44fa9bf68341c61ccaca0a3723945543e2a04d9db712ae50861e3fa6d9cc98" }, { "id": "", "name": "1f3bd755de24e00af2dba61f938637d1cc0fbfd6166dba014e665033ad4445c0" }, { "id": "", "name": "f9816bc81de2e8639482c877a8defcaed9b15ffdce12beaef1cff3fea95999d4" }, { "id": "", "name": "ebe3b6977f66be30a22c2aff9b50fec8529dfa46415ea489bd7961552868f6b5" }, { "id": "", "name": "3d445c25752f86c65e03d4ebed6d563d48a22e424ba855001ad2db2290bf564c" }, { "id": "", "name": "b00491dc178a3d4f320951bccb17eb85bfef23e718b4b94eb597c90b5b6e0ba2" }, { "id": "", "name": "a17858f40ff506d59b5ee1ba2579da1685345206f2c7d78cb2c9c578a0c4402b" } ], "malware": [ { "id": "137d7013-95fa-4635-a7c7-e2c85a3f2798", "name": "AshenStager", "slug": "ashenstager" }, { "id": "legacy:malware:798f75146cda583f", "name": "AshenLoader", "slug": "ashenloader" }, { "id": "legacy:malware:304678b60cd68989", "name": "AshTag", "slug": "ashtag" }, { "id": "legacy:malware:556e631158e7dbc6", "name": "AshenOrchestrator", "slug": "ashenorchestrator" } ], "intrusion_sets": [ { "id": "7739d145-691e-42c8-abb8-c1352755ccf7", "name": "Ashen Lepus", "slug": "ashen-lepus" } ], "attack_patterns": [ { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "0ca071fb-4f52-4672-b64a-75deff57d874", "name": "T1048" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "29398669-98ed-4766-9dac-f9632f7175ff", "name": "T1518" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "1e73eaa9-ea78-444b-b3a3-5842f5d35115", "name": "T1074" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "others": [ { "id": "", "name": "Egypt" }, { "id": "", "name": "Oman" }, { "id": "", "name": "Morocco" }, { "id": "", "name": "Jordan" }, { "id": "", "name": "Government and administrations" }, { "id": "", "name": "apiv2.onlinefieldtech.com" }, { "id": "", "name": "api.softmatictech.com" }, { "id": "", "name": "api.systemsync.info" }, { "id": "", "name": "api.widetechno.info" }, { "id": "", "name": "api.technology-system.com" }, { "id": "", "name": "forum.technoforts.com" }, { "id": "", "name": "api.healthylifefeed.com" }, { "id": "", "name": "account.techupinfo.com" }, { "id": "", "name": "api.medicinefinders.com" }, { "id": "", "name": "forum.techtg.com" }, { "id": "", "name": "auth.onlinefieldtech.com" }, { "id": "", "name": "status.techupinfo.com" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/693ab3bfc97a8cfb06853a5d", "https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag" ] }