Shadow Diplomacy: Hamas-Linked Hackers Escalate Cyber Espionage Across the Middle East

It started with an innocuous-looking PDF - official, unremarkable, and precisely what a government official might expect in their inbox. But beneath the surface, a new breed of digital threat was lurking. In a region already fraught with political tensions, a Hamas-affiliated hacking group, tracked as "Ashen Lepus," has quietly intensified a multi-year cyber espionage campaign, defying ceasefires and adapting their tactics to stay one step ahead.

Inside the Campaign: Malware Masquerading as Diplomacy

According to a new report from Palo Alto Networks’ Unit 42, Ashen Lepus has demonstrated remarkable persistence and adaptability since at least 2020. Their primary weapon: AshTag, a custom malware strain embedded in seemingly legitimate diplomatic documents. These files, often themed around Turkey’s involvement with Palestinian and Moroccan affairs, act as lures - drawing in government employees who are then guided to download a malicious RAR archive.

Once inside, AshTag grants attackers sweeping access: stealing sensitive files, downloading additional malicious tools, and even allowing "hands-on-keyboard" operations - where hackers actively search, copy, and exfiltrate documents in real time. In one case, Unit 42 observed Ashen Lepus directly siphoning off files from a victim’s email account, seeking out documents tied to high-level diplomacy.

The group’s tactics have evolved. They now employ advanced obfuscation methods to mask their digital footprints, making detection harder for defenders. Their operational security has improved, blending their malicious network activity with normal traffic to avoid raising alarms.

While other Hamas-linked actors scaled back after the October 2025 ceasefire, Ashen Lepus pushed forward, highlighting a relentless commitment to intelligence gathering. Their activities suggest a shift in focus, with Turkish entities potentially joining the list of targets as regional alliances and rivalries shift.

Who Are Ashen Lepus?

Ashen Lepus is also tracked as "WIRTE" by other cybersecurity firms and is believed to be part of the broader Gaza Cybergang threat landscape - a constellation of groups linked to Palestinian interests and, specifically, Hamas. Their track record includes previous attacks with other malware, such as SysJoker, which targeted Israeli educational networks.

Researchers say the group’s persistent activity “highlights their commitment to constant intelligence collection” - a sobering reminder that, even as cyber conflicts ebb and flow, some actors never truly stand down.