In recent months, we have been analyzing the activity of an advanced persistent threat (APT) known for its espionage activities against Arabic-speaking government entities. We track this Middle Eastern threat actor as Ashen Lepus (aka WIRTE). We share details of a long-running, elusive espionage campaign targeting governmental and diplomatic entities throughout the Middle East. We discovered that the group has created new versions of their previously documented custom loader, delivering a new malware suite that we have named AshTag. The group has also updated their command and control (C2) architecture to evade analysis and blend in with legitimate internet traffic.
Ashen Lepus remained persistently active throughout the Israel-Hamas conflict, distinguishing it from other affiliated groups whose activities decreased over the same period. Ashen Lepus continued with its campaign even after the October 2025 Gaza ceasefire, deploying newly developed malware variants and engaging in hands-on activity within victim environments.
This campaign highlights a tangible evolution in Ashen Lepus's operational security and tactics, techniques, and procedures (TTPs). While its operations over the years have demonstrated only moderate sophistication, the group has recently adopted more advanced tactics that include:
- Enhanced custom payload encryption
- Infrastructure obfuscation using legitimate subdomains
- In-memory execution to minimize forensic artifacts