S9031: AshTag
Analyst context for executives and security teams
AshTag matters because ATT&CK describes it as a Windows modular .NET backdoor built for persistence and remote command execution, with masquerading as a legitimate VisualServer utility. For leaders, the practical risk is not a single malware name; it is whether Windows endpoint, egress, scheduled task, WMI, and application-control coverage can expose a stealthy backdoor that blends into normal administration and web traffic.
Executive priority
Prioritize this as a validation case for Windows resilience against espionage-style backdoors: can the organization prove it would notice persistence, remote command execution, discovery, screen capture, tool transfer, and data movement over command-and-control channels? The relationship to WIRTE in ATT&CK adds threat-intelligence relevance for organizations tracking diplomatic, financial, military, legal, technology, Middle East, North Africa, or Europe exposure, but local prioritization should be based on actual business presence, telemetry, and risk appetite.
Technical view
SOC and IR teams should map AshTag coverage to the supplied Windows platform and related behaviors: masquerading or legitimate-name/location matching, encrypted or encoded files, deobfuscation, scheduled task persistence, WMI execution, JavaScript execution, process/system/file/local storage/location discovery, DLL abuse, delayed execution, web-protocol or web-service C2, ingress tool transfer, screen capture, and exfiltration over the C2 channel. Because ATT&CK provides no official detection text, validation should focus on whether existing endpoint, network, and identity/admin telemetry can correlate these behaviors rather than relying on a malware signature alone.
Likely telemetry
- Windows endpoint process creation and parent-child process relationships, especially .NET, script, WMI, and administrative utilities
- Scheduled task creation, modification, and execution events
- WMI activity and remote/local management execution evidence
- File creation, rename, path, hash, and metadata telemetry for masquerading, encoded files, DLLs, and VisualServer-like naming
- DLL load telemetry where available
Detection direction
- Validate correlation across persistence plus execution plus network egress; any single behavior may look administrative or benign.
- Tune for masquerading by comparing file names, paths, signatures, expected publishers, and known legitimate VisualServer deployments in the local environment.
- Review scheduled task and WMI detections for false positives from IT administration tools while preserving visibility into unusual users, hosts, timing, or command content.
- Look for encoded or encrypted payload artifacts followed by deobfuscation or execution, especially when paired with delayed execution or DLL abuse.
- Baseline web-service and web-protocol egress so unusual destinations, user agents, timing, volume, or host roles can be investigated without over-alerting on normal web traffic.
Mitigation priorities
- Confirm endpoint logging and retention are sufficient for Windows process, file, scheduled task, WMI, script, DLL, and network investigations.
- Apply least privilege and administrative access controls to reduce abuse of WMI, scheduled tasks, and remote command execution paths.
- Use application control, script control, and allowlisting where practical to limit untrusted .NET, JavaScript/JScript, DLL, and masqueraded utility execution.
- Harden egress controls and web-service governance so unmanaged systems cannot freely communicate with unapproved external services.
- Strengthen email/file handling controls and user resilience for malicious-file execution paths referenced by the related techniques.
Analyst notes and limits
ATT&CK identifies AshTag as a modular .NET backdoor used by WIRTE since at least 2025 and cites Unit 42 reporting. The most useful defensive interpretation is behavior-based: persistence, remote command execution, masquerading, discovery, collection, C2, tool transfer, and potential exfiltration behaviors should be tested against the organization’s actual Windows monitoring stack.
The supplied ATT&CK object has no official detection guidance, no malware tactics listed directly, and no aliases or labels. Relationship techniques provide behavioral context, but some related technique platform lists are broader than this malware object; this take therefore treats Windows as the supported platform for AshTag. Local software inventory, legitimate VisualServer use, network baselines, and log availability are required to assess real coverage.
AshTag
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1113 | Screen Capture | The AshTag AshenOrchestrator component has the ability to take screenshots.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1083 | File and Directory Discovery | The AshTag AshenOrchestrator component can enumerate files on victim hosts.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1047 | Windows Management Instrumentation | AshTag can use a .NET program to execute WMI queries and send unique victim IDs to C2.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | AshTag has been executed through victims downloading and opening malicious RAR archive files.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1082 | System Information Discovery | The AshTag loader and AshenOrchestrator components can collect reconnaissance data from victim machines.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1102 | Web Service | AshTag can download malicious payloads from file sharing services.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | AshTag can use HTTP to send and receive data from C2.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | AshTag has exfiltrated reconnaissance data on targeted systems to C2 servers.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1574.001 | DLL Sub-technique | AshTag has enabled execution via DLL sideloading using a legitimate executable paired with a malicious DLL named wtsapi32.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | The AshTag AshenOrchestrator component payload as been Base64 encoded and embedded with HTML content from the C2 server.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | AshTag can set persistence using scheduled tasks.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | The AshTag stager compoment can decode and decrypt Base64 and XOR-encrypted payloads.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1059.007 | JavaScript Sub-technique | AshTag can use JSON files to deliver payloads and configuration files.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | The AshTag stager component can retrieve and execute the main payload.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1614 | System Location Discovery | AshTag can check geolocation on targeted systems.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1057 | Process Discovery | The AshTag AshenOrchestrator component has process management functionality.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | AshTag has masqueraded as a legitimate VisualServer utility.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1680 | Local Storage Discovery | AshTag can use `volumeserialnumber` to enumerate volumes.CitationPalo Alto Ashen Lepus DEC 2025 |
| Enterprise | T1678 | Delay Execution | AshTag can use a set sleep time to delay C2 beaconing.CitationPalo Alto Ashen Lepus DEC 2025 |
Groups, software, and campaigns
G0090: WIRTE
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1625cc9fcbc7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Ashen Lepus DEC 2025
Unit 42. (2025, December 11). Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite. Retrieved April 20, 2026.
Open source URL -
[2]
mitre-attack S9031Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.