WIRTE Deploys AshTag Espionage Backdoor via AshenLoader Sideloading
Summary
Hide ▲
Show ▼
The advanced persistent threat (APT) group WIRTE, also tracked as Ashen Lepus, has been targeting government and diplomatic entities in the Middle East since 2020 with a previously undocumented malware suite called AshTag. The group leverages AshenLoader for sideloading to deploy the AshTag backdoor, which facilitates espionage and data theft. Recent attacks have expanded to include Oman and Morocco, with a focus on geopolitical lures related to Turkey and Palestine. The campaign involves phishing emails, PDF decoys, and a multi-stage infection process to minimize forensic artifacts. The AshTag backdoor is modular and designed for persistence, remote command execution, and data exfiltration. The group's activities have remained persistent throughout regional conflicts, unlike other affiliated threat groups. The threat actors have been observed conducting hands-on data theft, staging documents of interest in the C:\Users\Public folder before exfiltrating them to an attacker-controlled server.
Timeline
-
11.12.2025 13:00 1 articles · 3h ago
WIRTE Expands Operations to Oman and Morocco with AshTag Backdoor
The WIRTE group, also known as Ashen Lepus, has been targeting government and diplomatic entities in the Middle East since 2020 with the AshTag backdoor. The group's operations have expanded to include Oman and Morocco, with a focus on geopolitical lures related to Turkey and Palestine. The AshTag backdoor is a modular .NET backdoor designed for persistence, remote command execution, and data exfiltration. The group's activities have remained persistent throughout regional conflicts, unlike other affiliated threat groups. The threat actors have been observed conducting hands-on data theft, staging documents of interest in the C:\Users\Public folder before exfiltrating them to an attacker-controlled server.
Show sources
- WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor — thehackernews.com — 11.12.2025 13:00
Information Snippets
-
WIRTE, also known as Ashen Lepus, has been active since at least 2018 and targets government entities in the Middle East.
First reported: 11.12.2025 13:001 source, 1 articleShow sources
- WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor — thehackernews.com — 11.12.2025 13:00
-
The group uses phishing emails with geopolitical lures to deliver a PDF decoy and a RAR archive containing the AshenLoader.
First reported: 11.12.2025 13:001 source, 1 articleShow sources
- WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor — thehackernews.com — 11.12.2025 13:00
-
AshenLoader sideloads a malicious DLL to deploy the AshTag backdoor, which is designed for persistence and remote command execution.
First reported: 11.12.2025 13:001 source, 1 articleShow sources
- WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor — thehackernews.com — 11.12.2025 13:00
-
AshTag is a modular .NET backdoor that masquerades as a legitimate VisualServer utility.
First reported: 11.12.2025 13:001 source, 1 articleShow sources
- WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor — thehackernews.com — 11.12.2025 13:00
-
The group has expanded its operations to include Oman and Morocco, with recent lures related to Turkey and Palestine.
First reported: 11.12.2025 13:001 source, 1 articleShow sources
- WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor — thehackernews.com — 11.12.2025 13:00
-
The threat actors have been observed conducting hands-on data theft, staging documents in the C:\Users\Public folder before exfiltrating them.
First reported: 11.12.2025 13:001 source, 1 articleShow sources
- WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor — thehackernews.com — 11.12.2025 13:00