WIRTE / Ashen Lepus Middle East espionage campaign
Campaign
Summary
Hide ▲
Show ▼
WIRTE (tracked as Ashen Lepus) kept running a persistent espionage campaign against government and diplomatic entities across the Middle East, with expansion into Oman and Morocco. The continued activity matters because it persisted through the Israel-Hamas conflict and after the October 2025 Gaza ceasefire, showing no operational slowdown. The operation combined phishing emails and malware deployment to support intelligence collection and hands-on access in victim environments.
Related Happenings
MuddyWater U.S. network intrusion campaign targeting banks, airports, and a software company arm
Campaign
First: 06.03.2026 12:23
Last: 06.03.2026 12:23
Sources 1
About this happening:
**MuddyWater (Seedworm)** is running a **state-linked intrusion campaign** that has embedded itself in **U.S. banks, airports, a non-profit, and an Israeli software company arm**,...
MuddyWater U.S. network intrusion campaign targeting banks, airports, and a software company arm
CampaignAbout this happening: **MuddyWater (Seedworm)** is running a **state-linked intrusion campaign** that has embedded itself in **U.S. banks, airports, a non-profit, and an Israeli software company arm**,...
Middle East retaliatory hacktivist DDoS campaign
Campaign
First: 04.03.2026 19:21
Last: 04.03.2026 19:21
Sources 1
About this happening:
A **retaliatory hacktivist DDoS campaign** has surged across the **Middle East**, creating broad disruption risk for **government** and **public-infrastructure** targets. Research...
Middle East retaliatory hacktivist DDoS campaign
CampaignAbout this happening: A **retaliatory hacktivist DDoS campaign** has surged across the **Middle East**, creating broad disruption risk for **government** and **public-infrastructure** targets. Research...
TGR-STA-1030/UNC6619 Shadow Campaigns espionage operation
Campaign
First: 07.02.2026 17:09
Last: 07.02.2026 17:09
Sources 1
About this happening:
The **TGR-STA-1030/UNC6619** operation **Shadow Campaigns** expanded a state-sponsored espionage effort that compromised **at least 70 organizations** across **37 countries**, inc...
TGR-STA-1030/UNC6619 Shadow Campaigns espionage operation
CampaignAbout this happening: The **TGR-STA-1030/UNC6619** operation **Shadow Campaigns** expanded a state-sponsored espionage effort that compromised **at least 70 organizations** across **37 countries**, inc...
Amaranth-Dragon Southeast Asia espionage campaign
Campaign
First: 04.02.2026 16:09
Last: 04.02.2026 16:09
Sources 1
About this happening:
The **Amaranth-Dragon** espionage campaign targeted **government and law enforcement agencies** across **Southeast Asia** throughout **2025**, indicating a sustained effort to est...
Amaranth-Dragon Southeast Asia espionage campaign
CampaignAbout this happening: The **Amaranth-Dragon** espionage campaign targeted **government and law enforcement agencies** across **Southeast Asia** throughout **2025**, indicating a sustained effort to est...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware Activity
First: 04.02.2026 16:09
Last: 04.02.2026 16:09
Sources 1
About this happening:
**Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware ActivityAbout this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
Timeline
-
11.12.2025 13:00 2 articles · 5mo ago
WIRTE/Ashen Lepus campaign expands across the Middle East
Campaign Scope UpdateWIRTE, also tracked as Ashen Lepus and overlapping with Gaza Cyber Gang aliases including Blackstem, Extreme Jackal, Molerats, and TA402, is described as a persistent espionage actor targeting government and diplomatic entities across the Middle East since at least 2018/2020, with scope now extending to Oman and Morocco. The campaign uses phishing emails with geopolitical lures, a harmless PDF decoy, RAR archive delivery, AshenLoader and AshenStager DLL sideloading, and in-memory deployment of the AshTag .NET backdoor that masquerades as a legitimate VisualServer utility; one observed intrusion involved staging diplomacy-related documents from a victim email inbox in C:\Users\Public and exfiltrating them with Rclone.
Show sources
- WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor — thehackernews.com — 11.12.2025 13:00
- WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor — thehackernews.com — 11.12.2025 13:00