WIRTE’s AshenLoader Sideloading Tactics Unveiled in Middle East Cyber Espionage
The cyber espionage group known as WIRTE has been actively targeting government and diplomatic entities across the Middle East with a sophisticated malware suite named AshTag. This campaign, ongoing since 2020, has recently expanded its reach to include countries such as Oman and Morocco, indicating a broadening of its operational scope beyond its initial focus on the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.
Palo Alto Networks’ Unit 42, tracking this activity under the moniker Ashen Lepus, has identified numerous unique lures disseminated throughout the Middle East. These findings suggest a persistent and extensive campaign aimed exclusively at government and diplomatic entities in the region. While over a dozen entities are confirmed targets, the actual number is likely higher.
Notably, Ashen Lepus maintained its operations throughout the Israel-Hamas conflict, distinguishing itself from other affiliated groups whose activities diminished during the same period. Even after the October 2025 Gaza ceasefire, the group continued its campaign, deploying newly developed malware variants and engaging in direct activities within victim environments.
WIRTE, overlapping with the Arabic-speaking, politically motivated cluster known as Gaza Cyber Gang (also referred to as Blackstem, Extreme Jackal, Molerats, or TA402), has been active since at least 2018. According to Cybereason, both Molerats and APT-C-23 (also known as Arid Viper, Desert Varnish, or Renegade Jackal) are primary sub-groups of Hamas’s cyberwarfare division. WIRTE’s primary objective is espionage and intelligence collection, targeting government entities in the Middle East to fulfill its strategic goals.
The connection between WIRTE (Ashen Lepus) and the broader Gaza Cyber Gang is primarily evidenced by code overlaps and similarities. This suggests that while they operate independently, the tools were developed by closely related entities, likely sharing development resources. There is also observed overlap in other groups’ victimology.
In November 2024, Check Point attributed the hacking group to destructive attacks exclusively aimed at Israeli entities, infecting them with a custom wiper malware referred to as SameCoin. This highlights WIRTE’s ability to adapt and execute both espionage and sabotage operations.
The long-running, elusive campaign detailed by Unit 42, dating back to 2018, has been found to leverage phishing emails with lures related to geopolitical affairs in the region. A recent increase in lures related to Turkey—such as Partnership agreement between Morocco and Turkey or Draft resolutions concerning the State of Palestine—suggests that entities in Turkey may be a new area of focus.
The attack chains commence with a harmless PDF decoy that tricks recipients into downloading a RAR archive from a file-sharing service. Opening the archive triggers a sequence of events leading to the deployment of AshTag. This involves using a renamed benign binary to sideload a malicious DLL dubbed AshenLoader. In addition to opening a decoy PDF file to maintain the ruse, AshenLoader contacts an external server to drop two more components: a legitimate executable and a DLL payload called AshenStager (also known as stagerx64). This payload is sideloaded to launch the malware suite in memory, minimizing forensic artifacts.
AshTag is a modular .NET backdoor designed to facilitate various espionage activities, including data exfiltration and system manipulation. Its modular nature allows for the addition of new capabilities, making it a versatile tool in WIRTE’s arsenal.
The use of DLL sideloading techniques, as seen with AshenLoader, is a common strategy among advanced persistent threats (APTs) to evade detection. By leveraging legitimate executables to load malicious DLLs, attackers can bypass security measures that rely on identifying known malicious files. This method has been employed by various threat actors to maintain persistence and execute malicious code stealthily.
The persistence and adaptability of WIRTE underscore the evolving nature of cyber threats in the Middle East. Their ability to develop and deploy new malware variants, coupled with sophisticated delivery mechanisms, highlights the need for robust cybersecurity measures and continuous vigilance among targeted entities.
As the geopolitical landscape continues to shift, it is imperative for organizations, especially those in government and diplomatic sectors, to stay informed about emerging threats and implement comprehensive security strategies to mitigate potential risks.
