AshenLoader
AshenLoader is a malicious DLL loader used in the AshTag espionage malware chain operated by the Hamas-affiliated threat group Ashen Lepus, also tracked as WIRTE. It has been used in campaigns targeting governmental and diplomatic entities in the Middle East, including reported targeting of Palestine, Egypt, Jordan, Oman, and Morocco. The infection chain described in the source material is AshenLoader -> AshenStager -> AshenOrchestrator, culminating in deployment of the modular AshTag backdoor.
Delivery relies on diplomatic-themed lures and DLL sideloading. Victims are enticed with benign-looking PDF documents that lead to download of RAR archives containing a fake document executable, a malicious DLL identified as AshenLoader, and a decoy PDF. A renamed benign executable is used to sideload the AshenLoader DLL. When executed, AshenLoader opens a harmless decoy PDF to reduce suspicion, collects basic host information, contacts an external server, and retrieves or drops additional components. Reported follow-on payloads include a legitimate executable and a DLL payload called AshenStager (also referred to as stagerx64), which is again sideloaded to continue execution.
The broader malware suite emphasizes stealth and in-memory execution to minimize forensic artifacts on disk. AshenLoader fetches content hidden in HTML, including data embedded between custom tags, which is then used to deliver later stages. Subsequent components extract Base64-encoded payloads and configuration data, including C2 domains, module URLs, encryption keys, and timing values. The final AshTag framework supports espionage functions including file exfiltration, command execution, persistence, process management, update and removal, screen capture, file management, and system fingerprinting via WMI. Observed infrastructure included API-style subdomains on legitimate-looking sites, with examples such as api.healthylifefeed[.]com and auth.onlinefieldtech[.]com. Reported post-compromise activity included staging stolen diplomatic documents in C:\Users\Public and exfiltrating them with Rclone.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Ashen Lepus deployed AshTag and AshenLoader targeting Palestine, Egypt, Jordan, Oman, and Morocco.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A loader deployed by Ashen Lepus in regional targeting operations.
AshenLoader is a loader malware used to sideload and install the AshTag espionage backdoor as part of a multi-stage attack chain by the Ashen Lepus (WIRTE) group.
Initial-stage loader in the AshTag infection chain that collects basic host data, communicates with C2, and retrieves the next stage (AshenStager) from attacker-controlled content embedded in HTML.
AshenLoader is a malicious DLL used to sideload and deploy additional payloads, including AshenStager and the AshTag malware suite, while maintaining stealth by opening decoy documents and minimizing forensic artifacts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.