← threatfilter.dev / all groups / WIRTE
WIRTE
Also known as: Ashen Lepus
Overview
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.
Capabilities
- Custom malware/implant development — ATT&CK: 6 attributed custom malware families
TTPs — 26 techniques across 7 tactics
Resource Development
-
T1583.001Domains -
T1586.002Email Accounts -
T1588.002Tool -
T1608.001Upload Malware
Initial Access
-
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1106Native API -
T1204.001Malicious Link -
T1204.002Malicious File
Stealth
-
T1027.010Command Obfuscation -
T1027.015Compression -
T1036.005Match Legitimate Resource Name or Location -
T1140Deobfuscate/Decode Files or Information -
T1218.010Regsvr32 -
T1497.001System Checks -
T1574.001DLL -
T1684.001Impersonation
Collection
-
T1074.001Local Data Staging -
T1114.001Local Email Collection
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer -
T1571Non-Standard Port
Exfiltration
Tools & malware (8)
LitePower · SameCoin · Ferocious · Empire · IronWind · Rclone · Havoc · AshTag
Reporting (3)
- Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite — Unit 42
- Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity — Check Point
- WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019 — Yamout, M