Hamas-backed hackers escalate covert attacks, exposing relentless Palestinian aggression even after Gaza ceasefire.
Palo Alto Networks has exposed alarming new evidence of a far-reaching espionage surge orchestrated by Ashen Lepus, a Hamas-linked cyber organization that has aggressively expanded its digital warfare across the Middle East. Rather than slowing activity after the October 2025 Gaza ceasefire, the group accelerated operations, deploying upgraded malware, infiltrating networks more deeply, and sustaining hands-on manipulation inside breached systems.
Active since 2018, Ashen Lepus historically targeted the Palestinian Authority, Egypt, and Jordan, but now the Hamas-affiliated outfit has widened its net to Oman, Morocco, and even Turkey. Despite its broader geographical reach, the group continues to weaponize geopolitical themes—especially narratives surrounding Palestinian politics—to lure and compromise its victims. Recent phishing decoys referenced Turkish defense issues, alleged Hamas training sites in Syria, and shifting Palestinian political calculations.
The group’s infection chain remains multi-layered but now incorporates substantial enhancements designed to bypass defenses. Attacks begin with a harmless-looking PDF that instructs targets to download a RAR archive containing a disguised executable, a malicious loader, and a secondary decoy. Once executed, the binary abuses DLL side-loading to activate upgraded versions of AshenLoader, which simultaneously displays legitimate-looking documents while executing covert payloads in the background.
A key evolution lies in the group’s command-and-control strategy. Rather than relying on attacker-owned infrastructure, Ashen Lepus now registers API-styled and authentication-themed subdomains under benign-looking medical and technology names. This shift allows malicious traffic to vanish within normal internet patterns. Many servers are geofenced to block analysis systems, and secondary payloads are embedded inside HTML tags to further obscure activity. Servers cross-check geolocation data and unique User-Agent signatures before responding—deliberate efforts to avoid detection.
At the center of the campaign is a sophisticated new .NET malware suite known as AshTag, a modular backdoor capable of exfiltrating files, loading additional tools, and operating entirely in memory. The full compromise lifecycle moves through AshenLoader, then a staging module termed AshenStager, culminating in AshTag execution via AshenOrchestrator, which extracts hidden modules from webpage content. These modules activate features such as screen capture, persistence, system fingerprinting, and covert file operations.
Investigators noted that attackers maintained direct presence inside compromised networks. Using Rclone—a legitimate file-transfer application increasingly abused for stealth—Ashen Lepus exfiltrated diplomatic documents pulled directly from victims’ mail systems, consistent with Hamas-aligned intelligence-gathering priorities.
Throughout 2025, the group upgraded its malware extensively: integrating AES-CTR-256 encryption, expanding host fingerprinting, rotating C2 structures, and modifying URL patterns to evade detection. Though functionality remains broadly consistent, these refinements significantly enhance stealth.
Palo Alto Networks has released a suite of indicators of compromise, including encryption keys, malware hashes, scheduled task names, and C2 domains. The company warns that Ashen Lepus remains unusually active and is expected to intensify efforts further as it hunts intelligence tied to regional political developments—particularly those impacting Israel and its allies.
Findings have been shared with the Cyber Threat Alliance, and security authorities across the Middle East—especially Israeli and diplomatic agencies—have been urged to heighten monitoring and prepare for continued Hamas-linked cyber aggression.
