Hamas-affiliated APT targeting government agencies in the Middle East, Morocco

A hacking group allegedly affiliated with Palestinian armed group Hamas is accused of using malware-laden documents to breach government and diplomatic entities tied to Oman, Morocco and the Palestinian Authority. 

Palo Alto Networks’ Unit 42 issued a report on Thursday about a group it refers to as Ashen Lepus. A spokesperson for the company told Recorded Future News that it attributed the group to Hamas based on years of profiling their activity, which they said “shows a consistent alignment with Hamas's strategic interests.”

Unit 42 said the recent activity involved a new strain of malware they call AshTag that has allowed them to steal information from key entities across the Middle East. The report said Ashen Lepus has demonstrated increasing sophistication since 2020, developing more advanced hacking tactics that include infrastructure obfuscations and other new tools. 

The malware is typically tied to legitimate documents about Turkey’s involvement with Palestinian entities. While other Hamas-affiliated threat activity has decreased throughout the Israel-Hamas conflict, Ashen Lepus remains persistently active, even following the October 2025 ceasefire. 

The AshTag malware has been used for several years and was still being used in attacks after the Gaza ceasefire announced in October. Unit 42 saw hands-on activity within certain victim environments after the ceasefire. The malware allows the hackers to extract files, download content onto victim devices and take further actions. 

The most recent campaign has used documents focused on Turkey’s relationship with Palestinian political entities, which the researchers said is a shift that suggests Turkish entities may be a new area of operational interest.

The lures included documents with titles related to partnerships between Morocco and Turkey, Turkish defense initiatives, Hamas activities in Syria and Palestinian government efforts.

The attacks begin with an infected PDF decoy file that guides targets to download a RAR archive containing a malicious payload.

The group has made several changes to adopt better operational security, using different tactics to better blend their activity in with benign network activity.

In multiple cases, the group conducted hands-on-keyboard data theft after using the malware to gain access to victim systems. Unit 42 found the threat actors downloading documents directly from a victim’s email account in one instance — with a focus on obtaining specific, diplomacy-related documents.

“Ashen Lepus remains a persistent espionage actor, demonstrating a clear intent to continue its operations throughout the recent regional conflict — unlike other affiliated threat groups, whose activity significantly decreased,” the researchers said. 

“The threat actors’ activities throughout the last two years in particular highlight their commitment to constant intelligence collection.”

Other cybersecurity firms have tracked the group’s activity under the name “WIRTE” and have linked it to larger groups like Gaza Cybergang and Molerats. Researchers previously tied Hamas-affiliated hackers to a strain of malware called SysJoker that targeted Israeli educational institutions.