G0090: WIRTE
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]
Analyst context for executives and security teams
WIRTE matters because ATT&CK describes it as a long-running cyberespionage group focused on intelligence collection against diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and Europe, with reporting that it has also expanded into wiper malware against Israeli targets. For leaders, this makes WIRTE less a single malware problem and more a test of whether the organization can detect social engineering, script-based execution, command-and-control, data staging, exfiltration, and potentially destructive activity before operations or sensitive information are affected.
Executive priority
Prioritize WIRTE as a regional and sector-relevant threat model where the organization has exposure to the named geographies or sectors, supports government/diplomatic/legal/technology missions, or has Israeli/Middle East operational dependencies. The decision value is in validating resilience: are email and endpoint controls reducing user-driven execution, are SOC teams seeing PowerShell/VB/cmd activity and web-based C2, are cloud-storage synchronization tools such as Rclone governed, and are IR plans prepared for both espionage and wiper-style disruption scenarios? This can also support audit and compliance evidence by showing coverage for collection, exfiltration, and destructive malware readiness.
Technical view
ATT&CK provides no official detection text for the group, so defenders should build coverage from the relationships. WIRTE is linked to Empire, Ferocious, LitePower, Rclone, Havoc, IronWind, SameCoin, and AshTag, plus techniques including malicious links/files, PowerShell, Windows Command Shell, Visual Basic, web protocols for C2, ingress tool transfer, local data staging, local email collection, exfiltration over C2, obfuscation/compression/deobfuscation, masquerading by legitimate resource name/location, and Native API use. SOC validation should therefore focus on Windows script execution, suspicious command-line patterns, unexpected downloader/backdoor behavior, cloud-sync/file-transfer activity, web egress anomalies, staged archives or local collection paths, and destructive/wiper indicators where SameCoin relevance is in scope.
Likely telemetry
- Email security and user-click/open events for malicious links and files
- Endpoint process creation and command-line logging for PowerShell, cmd, VB/VBS, .NET, and script hosts
- PowerShell script block/module/transcription logs where available
- EDR telemetry for process ancestry, file writes, persistence-like behavior, and masqueraded names or locations
- Network proxy, DNS, firewall, and TLS metadata for web-protocol C2 and unusual outbound destinations
Detection direction
- Do not treat the group object as a signature source; ATT&CK supplies no official detection guidance for WIRTE, so detection must be relationship-driven and validated against local telemetry.
- Tune for suspicious combinations: user-opened content followed by PowerShell/VBS/cmd execution, downloader activity, web egress, tool transfer, local staging, and exfiltration-like traffic.
- Review allowlists for legitimate administration frameworks and open-source C2/post-exploitation tools; Empire and Havoc can create false positives in red-team or admin contexts but are material when seen on unmanaged endpoints or unusual hosts.
- Baseline Rclone and other cloud-sync usage; distinguish sanctioned backup/sync workflows from unusual command-line use, new destinations, abnormal transfer volume, or execution from temporary/user-writable paths.
- Hunt for masquerading and obfuscation rather than exact names only, since related techniques include command obfuscation, compression, deobfuscation, and matching legitimate resource names or locations.
Mitigation priorities
- Start with exposure scoping: determine whether the organization matches the sectors or regions described by ATT&CK and whether Windows, Android, cloud-storage, and cross-platform tooling are material in the environment.
- Harden user-execution paths with email/link/file controls, attachment detonation, user reporting workflows, and restrictions on risky script execution where operationally feasible.
- Improve endpoint visibility and control for PowerShell, cmd, VB/VBS, .NET execution, suspicious child processes, and execution from user-writable or temporary locations.
- Govern cloud-sync and file-transfer tools, including approved-use policies, logging, egress controls, and alerting for unsanctioned Rclone-like behavior.
- Prepare IR playbooks for both espionage and disruption: credential and mailbox investigation, data-staging/exfiltration review, malware containment, and wiper recovery decisions.
Analyst notes and limits
The strongest defensive value comes from mapping WIRTE’s related software and techniques into control validation rather than relying on the group name. ATT&CK’s description supports cyberespionage, regional/sector targeting, continued activity, and a move into wiper malware; relationships support script-based execution, C2, exfiltration, local collection, tool transfer, and destructive tooling context. Local threat intelligence and environment scope are required before making attribution or exposure claims.
The supplied ATT&CK group object lists no platforms, tactics, labels, or official detection text. Platform and behavior guidance here is inferred only from the supplied relationship context, not from a complete intrusion procedure list. Detection quality depends on local logging, endpoint coverage, network visibility, asset scope, and whether the organization overlaps the described sectors or regions.
WIRTE
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | WIRTE has used PowerShell for script execution.CitationLab52 WIRTE Apr 2019 |
| Enterprise | T1571 | Non-Standard Port | WIRTE has used HTTPS over ports 2083 and 2087 for C2.CitationKaspersky WIRTE November 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | WIRTE has used VBScript in its operations.CitationLab52 WIRTE Apr 2019 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | WIRTE has collected documents from victims' email accounts.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | WIRTE has attempted to lure users into opening malicious documents including MS Word and Excel files, at times using a decoy document to encourage execution of malicious payloads.CitationKaspersky WIRTE November 2021CitationCheck Point Wirte NOV 2024CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | WIRTE has directed victims to malicious payloads staged on file sharing services.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | WIRTE has used Base64 to decode malicious VBS script.CitationLab52 WIRTE Apr 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | WIRTE has sent emails to intended victims with malicious MS Word and Excel attachments.CitationKaspersky WIRTE November 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | WIRTE has used the Windows command line as part of infection chains to open documents.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | WIRTE has used links embedded in emails to lure users into downloading malicious files.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | WIRTE has used security service provider naming conventions such as ESET and Kasperky ("Kaspersky Update Agent") in order to appear legitimate.CitationKaspersky WIRTE November 2021CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | WIRTE has staged collected documents of interest in `C:\Users\Public folder`.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1586.002 | Email Accounts Sub-technique | WIRTE has used compromised emails, including one belonging to an Israel-based technology reseller, to deliver targeted spearphishing messages.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | WIRTE has exfiltrated collected victim data to C2 infrastructure.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1583.001 | Domains Sub-technique | WIRTE has registered domains designed to mimic legitimate sites for use in phishing campaigns.CitationCheck Point Wirte NOV 2024CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | WIRTE has used HTTP for network communication.CitationLab52 WIRTE Apr 2019 |
| Enterprise | T1574.001 | DLL Sub-technique | WIRTE has used RAR archives containing a legitimate executable and a lure document to execute malicious DLLs via sideloading.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1497.001 | System Checks Sub-technique | WIRTE has configured C2 servers to check location and user-agent strings for victim endpoints to prevent sending a payload to sandboxed environments.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | WIRTE has sent targeted spearphishing emails with malicious links directing victims to malware downloads.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1684.001 | Impersonation Sub-technique | WIRTE has used utilized look-alike domains and graphics of trusted security solution providers to entice victims to click on phishing links.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1106 | Native API | WIRTE has used the `RtlIpv4StringToAddressA` to convert IP-formatted string to a byte array.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | WIRTE has used `regsvr32.exe` to trigger the execution of a malicious script.CitationLab52 WIRTE Apr 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | WIRTE has downloaded PowerShell code from the C2 server to be executed.CitationLab52 WIRTE Apr 2019 |
| Enterprise | T1027.015 | Compression Sub-technique | WIRTE has compressed malicious files within RAR and ZIP archives for obfuscation. CitationCheck Point Wirte NOV 2024CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | WIRTE has XOR encrypted command line strings to conceal malware execution chains.CitationCheck Point Wirte NOV 2024 |
Groups, software, and campaigns
S0680: LitePower
S9030: SameCoin
S0679: Ferocious
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
S9029: IronWind
S1040: Rclone
S1229: Havoc
Havoc is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it with community contributors. Havoc provides a wide range of offensive security capabilities and has been adopted by multiple threat actors to establish and maintain control over compromised systems.
S9031: AshTag
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 9c8f97a703bc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lab52 WIRTE Apr 2019
S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
Open source URL -
[2]
Kaspersky WIRTE November 2021
Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
Open source URL -
[3]
Check Point Wirte NOV 2024
Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.
Open source URL -
[4]
Palo Alto Ashen Lepus DEC 2025
Unit 42. (2025, December 11). Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite. Retrieved April 20, 2026.
Open source URL -
[5]
Ashen Lepus
(Citation: Palo Alto Ashen Lepus DEC 2025)
-
[6]
WIRTE
(Citation: Lab52 WIRTE Apr 2019)
-
[7]
mitre-attack G0090Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.