Hamas-affiliated APT targeting government agencies in the Middle East, Morocco

Steven

Hamas-affiliated APT targeting government agencies in the Middle East, Morocco

Summary

Palo Alto Networks Unit 42 has attributed persistent espionage activity to a group it calls “Ashen Lepus,” which it links to Hamas based on long-term profiling. The group has been using a malware suite named AshTag to compromise government and diplomatic targets in Oman, Morocco and the Palestinian Authority.

The campaign uses malicious decoy documents — often legitimate-looking PDFs tied to Turkey’s interactions with Palestinian entities — to trick victims into downloading a RAR archive that contains the payload. Once deployed, AshTag enables data exfiltration, file download and further hands-on-keyboard activity. Unit 42 observed the group remaining active and conducting targeted theft even after the October 2025 ceasefire.

Key Points

  • Unit 42 has tracked an actor named Ashen Lepus and attributes its activity to Hamas based on profiling and objective alignment with strategic interests.
  • New and evolving AshTag malware was used to infiltrate government and diplomatic networks in Oman, Morocco and the Palestinian Authority.
  • Attack lures are legitimate-looking documents focusing on Turkey’s relations with Palestinian organisations, suggesting a possible shift toward Turkish-related targets.
  • Infection chain: infected PDF decoy -> link to RAR archive -> malicious payload deployment.
  • The actors improved operational security and use tactics to blend malicious actions with normal network behaviour.
  • Post-compromise activity often included manual data theft; researchers observed direct downloads from victims’ email accounts targeting diplomacy-related documents.
  • Other vendors have tracked the group under names like WIRTE and linked it to larger clusters such as Gaza Cybergang and Molerats.

Content summary

Ashen Lepus has been active and increasingly sophisticated since 2020, using AshTag to conduct espionage against Middle Eastern government and diplomatic targets. The recent campaign emphasises Turkish-Palestinian topics as decoys, pointing to evolving operational interest.

Unit 42 found evidence of ongoing hands-on-keyboard operations after the Gaza ceasefire, with targeted exfiltration of diplomacy-related documents. The group’s tactics include document lures, archive-delivered payloads and improved blending techniques to evade detection.

Context and relevance

This report matters because it highlights a persistent, state-aligned espionage actor operating during and after regional hostilities. The focus on diplomatic materials and Turkey-related lures signals a shift in intelligence priorities and possible new targets.

For security teams, the findings reinforce the need for robust email and document inspection, archive-handling policies, and monitoring for manual post-compromise activity. For policymakers and diplomats, it underscores that sensitive communications remain high-value targets even during ceasefires.

Author style

Punchy: this is a concise, high-stakes briefing. Read the details if you manage security for government or diplomatic networks; the operational changes Ashen Lepus has adopted raise the bar for detection and response.

Why should I read this

It’s short and sharp: a skilled espionage group tied to Hamas is still actively stealing diplomatic material across the region and has shifted its lures toward Turkish-related subjects. If you look after security, comms or diplomacy, this has direct implications for how you handle incoming documents and archives. We’ve done the skim so you don’t have to.

Source

Source: https://therecord.media/hamas-apt-targeting-government-agencies