Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomat...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/
• Blog Title: Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation -> Process Abuse / DLL Hijacking (add subpage on advanced DLL side-loading & staged HTML-embedded C2 payloads), plus cross-link from 'Exfiltration' for the Rclone-based data theft technique and from 'Generic Methodologies & Resources -> Exfiltration' for using benign sync tools

🎯 Content Summary

This blog presents a detailed reverse engineering and campaign analysis of AshTag, a new modular .NET malware suite used by Hamas‑affiliated APT Ashen Lepus (aka WIRTE) for long‑running cyber‑espionage against Middle Eastern governmental and diplomatic entities. It explains how the full chain works end‑to‑end: social engineering, loader design, staged HTML‑embedded payloads, C2 crypto/protocol, modular backdoor internals, and hands‑on exfiltration.

Victimology, lures and initi...

🔧 Technical Details

DLL side-loading with decoy documents
The campaign abuses Windows DLL search order: an attacker ships a legitimate‑looking EXE (named as a document) plus a malicious DLL named after a trusted system library (e.g., netutils.dll, srvcli.dll, dwampi.dll, wtsapi32.dll) in the same directory. When the user executes the EXE, Windows loads the local DLL instead of the real one. The DLL performs malicious actions (e.g., loading subsequent stages) while the EXE opens a decoy PDF (Document.pdf) so the victim sees normal content. This general technique works for any signed or trusted executable that imports a DLL by name: place a fake DLL with that name in the EXE’s directory and ensure the code triggers during process initialization or exported function calls.

Multi-stage HTML-embedded payload delivery
Payloads are hidden inside benign‑looking HTML responses from attacker C2. The first loader i...

🤖 Agent Actions

Summary:

• Added a new case-study page under Windows LPE ➜ DLL Hijacking that documents Ashen Lepus’ multi-stage DLL sideloading chain, HTML-embedded payload extraction, AES-CTR protections, scheduled-task persistence, and the Rclone-based exfiltration workflow, including detection guidance and references.
• Linked the main DLL Hijacking page to the new case study so readers can quickly find the advanced sideloading pattern.
• Cross-referenced the new content from both the general Exfiltration cheatsheet and the Generic Methodologies ➜ Exfiltration section, highlighting the Rclone-based data theft technique.

No tests were run (not applicable).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation -> Process Abuse / DLL Hijacking (add subpage on advanced DLL side-loading & staged HTML-embedded C2 payloads), plus cross-link from 'Exfiltration' for the Rclone-based data theft technique and from 'Generic Methodologies & Resources -> Exfiltration' for using benign sync tools".

Repository Maintenance:

• MD Files Formatting: 916 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0