Palo Alto Networks: Hamas-linked hackers launch stealth espionage push across Arab governments
The cybersecurity giant finds Ashen Lepus deploying new AshTag malware and upgraded stealth infrastructure, targeting government ministries and diplomatic missions in Oman, Morocco, Egypt, Jordan and the Palestinian Authority.
Palo Alto Networks Unit 42 has uncovered a long-running espionage campaign by Ashen Lepus, an advanced persistent threat (APT) group linked to Hamas, that has been targeting Arabic-speaking government and diplomatic entities across the Middle East. The group has significantly upgraded its capabilities in recent months, marking one of the most substantial evolutions in Hamas-aligned cyber activity to date.
According to the new report, Ashen Lepus has developed updated versions of its custom loader and deployed a new malware suite dubbed AshTag, while also overhauling its command-and-control (C2) infrastructure to evade detection and blend seamlessly into legitimate internet traffic. The attackers targeted government ministries and diplomatic missions in Oman, Morocco, Egypt, Jordan and the Palestinian Authority, seeking sensitive intelligence.
Researchers noted that the group remained persistently active throughout the Israel-Hamas conflict, unlike other affiliated threat actors that slowed their operations. Even after the October 2025 Gaza ceasefire, Ashen Lepus continued to deploy new malware variants and carried out hands-on activity inside victim environments, reflecting both determination and rapid technical advancement.
Related articles:
The investigation highlights a clear shift in the group’s operational maturity. Historically regarded as moderately sophisticated, Ashen Lepus has recently adopted more advanced tactics, including: Enhanced custom payload encryption; Infrastructure obfuscation using legitimate subdomains; In-memory execution to reduce forensic traces; More resilient and evasive C2 architecture.
“The expansion of Ashen Lepus’s victimology beyond their traditional geographic targets, coupled with new lure themes, suggests a broadening of its operational scope,” wrote Unit 42 researchers. “We assess that Ashen Lepus will continue to adapt its toolset and targeting to pursue its geopolitical intelligence objectives. Organizations in the Middle East, particularly in the governmental and diplomatic sectors, should remain vigilant against this evolving threat.”
