Hamas-Linked Hackers Probe Middle Eastern Diplomats

-

 

A cyber threat group affiliated with Hamas has been conducting espionage across the Middle East.

"Wirte" — tracked by Palo Alto's Unit 42 as "Ashen Lepus" — has been spying on regional government bodies and diplomatic entities since 2018. Lately, it's been expanding its interests into countries less directly associated with the Israel-Palestine conflict, like Oman and Morocco. And to match its broadening scope, Wirte has invented a new malware suite with a variety of features useful for evading cybersecurity programs.

"When the group first started they used very simple tools — it didn't seem like the people behind the group had a lot of technical know-how," say Unit 42 researchers, who requested anonymity for this article. "However, over the years we've seen this group evolve their tools and techniques; we're now observing an evolution and enhancement in their capabilities."

Hamas's New Malware & TTPs

The Wirte playbook is in most ways textbook cyber espionage. Victims receive phishing emails with PDFs relating to the Israel-Palestine conflict. When they follow a link in the PDF, they reach a file-sharing service with a RAR archive waiting. Should they continue, they'll trigger a dynamic link library (DLL) sideloading attack in the background of their machine. They'll then see the document they were after, while Wirte's infection chain quietly commences. Eventually, the hackers will perform hands-on-keyboard activity to steal documents of diplomatic and political significance.

Oddly, Unit 42 found that early Wirte campaigns didn't actually deliver full and complete payloads. They concluded that "previous campaigns observed in the wild were a testing phase in the development of the attack chain," which has only now come into its own with the introduction of a fully formed malware suite called "AshTag."

AshTag consists of a loader, a stager, and a backdoor that can install a variety of add-on modules, in that order. Like any good espionage suite, these components were designed with stealth in mind. 

For example, when it's time for the loader to pull the stager from Wirte's command-and-control (C2) infrastructure, it doesn't just find that payload sitting idly on a web page. Instead, it's embedded within the page, sandwiched between HTML header tags, and the loader parses the outwardly benign HTML to extract it. 

The backdoor takes this trick one step further: the modules it downloads can only be found by reading commented-out tags within the malicious domain's HTML — spots where most detection programs don't look. Wirte also diligently encrypts its payloads, and when published research reveals its current methods, it switches them up.

Wirte's Place in the Palestine Conflict

Wirte stands out from other Hamas-affiliated advanced persistent threats (APTs) for at least a couple of reasons.

Most notably, it has defied all Israeli war efforts in Gaza. Most Hamas-affiliated groups went silent during the war. But even as the Israeli Defense Force (IDF) took sledgehammers to the Gaza strip, systematically throttled its electricity, and even bombed Hamas-affiliated hackers, Wirte appears to have continued unabated.

Though they aren't certain, Unit 42 researchers say "the group's continuous activity throughout the conflict indeed suggests that they may be operating from outside Gaza. It could be that they're operating from the West Bank or from other countries."

That Wirte appears a step removed from the thick of the Gaza conflict might also help explain why, compared to other Hamas affiliates, it freely targets more diverse Middle Eastern governments. More often than not, it's still focused on targets most closely associated with the Israel-Palestine conflict, like Egypt, Jordan, and the Palestinian Authority itself, which is based opposite of Hamas in the West Bank. But Wirte seems to be bucking that trend nowadays.

Wirte's latest activity is still intrinsically tied to Palestinian affairs. Its social engineering bait makes frequent references to Hamas itself, and the ways in which regional governments like Turkey are engaged in the conflict. But the researchers report that "we have observed scores of unique lures deployed across the Middle East, indicating a persistent and wide-reaching campaign." 

Here, "wide-reaching" can be understood both in the literal and figurative sense. Oman and Turkey are as geographically distant as one can get from Israel, in two directions, while still being considered Middle Eastern (and Rabat is closer to Oslo than to Jerusalem). And while Turkey's president has involved himself in the Palestinian conflict in recent years, the other two nations have kept some distance.

"The expansion of Ashen Lepus’s victimology beyond their traditional geographic targets, coupled with new lure themes, suggests a broadening of its operational scope," Unit 42 wrote in its report. "Organizations in the Middle East, particularly in the governmental and diplomatic sectors, should remain vigilant against this evolving threat."


Reference:https://www.darkreading.com/

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more