AshTag modular .NET backdoor deployment via sideloading
Malware Activity
Summary
Hide ▲
Show ▼
The AshTag backdoor was deployed through DLL sideloading and in-memory execution, enabling persistence and remote command execution in targeted environments. It also disguised itself as a legitimate VisualServer utility and used loader/stager components to keep the intrusion covert. The malware’s capabilities included screen capture, file management, and system fingerprinting, increasing the operator’s ability to spy and move laterally inside victim systems.
Related Happenings
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
TinyRCT backdoor used in CL-STA-1062 Southeast Asia intrusions
Malware Activity
H score15
First: 26.06.2026 19:21
Last: 26.06.2026 19:21
Sources 1
About this happening:
The newly documented **TinyRCT** backdoor gives **CL-STA-1062** a custom remote-access payload for **government and critical-infrastructure targets in Southeast Asia**, expanding...
TinyRCT backdoor used in CL-STA-1062 Southeast Asia intrusions
Malware ActivityAbout this happening: The newly documented **TinyRCT** backdoor gives **CL-STA-1062** a custom remote-access payload for **government and critical-infrastructure targets in Southeast Asia**, expanding...
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware Activity
H score22
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware ActivityAbout this happening: The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Timeline
-
11.12.2025 13:00 2 articles · 7mo ago
WIRTE Ashen Lepus AshTag espionage campaign update
Technical Analysis UpdatePalo Alto Networks tracks WIRTE as Ashen Lepus and describes an AshTag modular .NET backdoor campaign against government and diplomatic entities across the Middle East, using phishing-delivered PDF decoys, RAR archives, AshenLoader and AshenStager sideloading, in-memory payload execution, and Rclone-based document exfiltration, with expanded focus on Oman and Morocco and continued activity after the October 2025 Gaza ceasefire.
Show sources
- WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor — thehackernews.com — 11.12.2025 13:00
- WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor — thehackernews.com — 11.12.2025 13:00