The cyber-espionage group Ashen Lepus, associated with Hamas and tracked as WIRTE, has ramped up its activities using a malware suite dubbed AshTag. According to Palo Alto Networks’ Unit 42, they have targeted government and diplomatic offices in the Middle East, continuing their operations even during the recent Gaza ceasefire. Initially focused on nearby countries like the Palestinian Authority, Egypt, and Jordan, their scope has expanded to include Oman and Morocco. Ashen Lepus employs deceptive tactics to deliver malware. They disguise malicious files as benign documents related to Middle Eastern geopolitics, using file-sharing services to distribute them. The attack begins with a seemingly harmless PDF that leads the victim to download a compressed RAR file containing a fake document, a loader program, and a harmless PDF. When the fake document is opened, the loader activates quietly, allowing the real malware, referred to as AshenOrchestrator, to operate undetected. The group has refined its methods to evade detection. They mask malware communication as normal internet traffic, using innocuous website names. Additionally, they execute their malicious software directly in computer memory, avoiding traces that would alert security systems. Once inside a target’s system, the hackers focus on stealing sensitive diplomatic documents, often accessing victims' email accounts for this data. This ongoing threat highlights the need for heightened security awareness among organizations in the region.