WIRTE APT (Ashen Lepus) Espionage
Targeted Sectors
· Government
· Diplomatic entities
· Military advisors
· NGOs
· Think tanks
Countries
· Oman
· Morocco
· Palestinian Authority
· Jordan
· Iraq
· Saudi Arabia
· Egypt
BLUF
WIRTE is conducting persistent, wide-reaching espionage campaigns in the Middle East using spear-phishing and DLL sideloading to install the AshTag backdoor for data exfiltration.
Date of First Reported Activity
· Campaign ongoing since at least 2020, with new tools reported on December 11, 2025.
Date of Last Reported Activity Update
· December 11, 2025.
APT Names
· WIRTE aka
o Ashen Lepus
o UNC4057
o Star Blizzard
o Callisto
Associated Criminal Organization Names
· None
IOCs
Malicious Files
· AshenLoader (DLLs used for sideloading)
· AshTag backdoor samples
Recent C2 Domains
· api. healthylifefeed[.]com
· api.softmatictech[.]com
· auth.onlinefieldtech[.]com
C2 Infrastructure Evolution
Key aspects of the group's C2 architecture and operational shift:
Subdomain Usage
Instead of standalone domains, they register subdomains on existing, seemingly legitimate domains to evade detection.
Theming
The domain names often have a technology or medical theme, which appears innocuous to an observer.
Geofencing and Obfuscation
The C2 servers are geofenced and perform initial checks on the victim's endpoint to avoid analysis in sandbox environments.
Payload Embedding
Secondary payloads are embedded within specific, custom HTML tags (e.g., <headerp>, <article>) of an otherwise benign-looking webpage hosted on the C2 server, requiring the malware to parse the HTML to extract the next stage
Tools Used
· AshenLoader
· AshTag malware suite
TTPs
· (TA0001) Initial Access: Spear-phishing emails containing malicious attachments/lures.
· (TA0005) Defense Evasion: DLL search order hijacking/sideloading (AshenLoader).
· (TA0002) Execution: Execution of AshTag backdoor.
· (TA0011) Command and Control: Communication with C2 servers for data exfiltration.
Malware Names
· AshenLoader
· AshTag
Malware Samples
AshenLoader variant one
sha256
f554c43707f5d87625a3834116a2d22f551b1d9a5aff1e446d24893975c431bc
URL Link to sample
· hxxps://www.virustotal.com/gui/file/f554c43707f5d87625a3834116a2d22f551b1d9a5aff1e446d24893975c431bc/details
Ashen Loader variant two
sha256
f9816bc81de2e8639482c877a8defcaed9b15ffdce12beaef1cff3fea95999d4
URL Link to sample
· hxxps://www.virustotal.com/gui/file/f9816bc81de2e8639482c877a8defcaed9b15ffdce12beaef1cff3fea95999d4
CVEs and CVSS Vectors
· Not applicable
o This relies on social engineering and DLL sideloading techniques
Nessus ID
· Not applicable
Suggested rules / potential hunts
Suggested Suricata Rules
Rules detecting suspicious outbound C2 traffic patterns associated with known AshTag domains (check vendor reports for current C2s).
Suggested SentinelOne Rules
Behavioral rules detecting unusual DLL loading sequences or attempts to make outbound connections from standard diplomatic/government systems.
Suggested Splunk Hunts
index=* (source=*email* OR source=*proxy*) ("spear-phishing" OR "AshenLoader" OR "AshTag") | stats count by source_address, recipient
Delivery Method
Spear-phishing emails with malicious attachments leading to DLL sideloading.
Email Samples
· Lures often related to government/diplomatic themes
References
The Hacker News
· hxxps://thehackernews.com/2025/12/wirte-leverages-ashenloader-sideloading.html
Unit 42
· hxxps://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag
VirusTotal
· hxxps://www.virustotal.com/gui/file/f554c43707f5d87625a3834116a2d22f551b1d9a5aff1e446d24893975c431bc/details
· hxxps://www.virustotal.com/gui/file/f9816bc81de2e8639482c877a8defcaed9b15ffdce12beaef1cff3fea95999d4
