A Hamas-aligned cyber-espionage group has dramatically expanded its intelligence-gathering campaign across the Middle East, deploying newly engineered malware and conducting hands-on intrusions inside government and diplomatic networks, according to new research from Palo Alto Networks.

The group, known as Ashen Lepus, has operated since 2018 but intensified its activity throughout the Israel-Hamas war and continued accelerating even after the October 2025 ceasefire. Investigators say the group’s campaigns now reach far beyond traditional targets in the Palestinian Authority, Egypt, and Jordan, with confirmed operations in Oman, Morocco, and a growing focus on Turkey. Many of the phishing lures remain tied to regional geopolitical tensions, such as alleged Hamas training in Syria and Turkish defense documents.

Palo Alto reports that Ashen Lepus has rebuilt its infection chain with a multilayered architecture designed to evade detection. Victims are drawn in by benign-looking PDFs that redirect them to download archives containing disguised binaries and decoy documents. Once launched, these files trigger DLL side-loading, activating upgraded versions of AshenLoader, which secretly executes malicious processes while displaying harmless content.

The group has also shifted to more sophisticated command-and-control infrastructure, registering subdomains disguised as API or authentication endpoints to blend in with legitimate traffic. Many servers are geofenced to block automated analysis systems, and secondary payloads are embedded within HTML, with responses gated by geolocation and device fingerprinting.

At the center of the new toolkit is AshTag, a modular .NET-based backdoor capable of exfiltrating files, executing additional payloads entirely in memory, and enabling persistent surveillance. AshTag is delivered through an orchestrated sequence of components, including AshenStager and AshenOrchestrator, which decode and activate hidden modules capable of system profiling and screen capture.

Investigators say the group conducted direct activity inside compromised networks, staging documents in public folders and exfiltrating diplomatic materials using Rclone, a file-transfer tool whose legitimate appearance helps mask intrusion.

Palo Alto warns that Ashen Lepus is rapidly refining its tools, adopting stronger encryption and frequently reworking its infrastructure to stay ahead of detection. The company has shared indicators of compromise with the Cyber Threat Alliance and urged regional governments to remain vigilant as the group continues expanding its operations and intelligence objectives.

(YWN World Headquarters – NYC)