S9031: AshTag
Analyst context for executives and security teams
AshTag matters because ATT&CK describes it as a Windows modular .NET backdoor built for persistence and remote command execution, with masquerading as a legitimate VisualServer utility. For leaders, the practical risk is not a single malware name; it is whether Windows endpoint, egress, scheduled task, WMI, and application-control coverage can expose a stealthy backdoor that blends into normal administration and web traffic.
Executive priority
Prioritize this as a validation case for Windows resilience against espionage-style backdoors: can the organization prove it would notice persistence, remote command execution, discovery, screen capture, tool transfer, and data movement over command-and-control channels? The relationship to WIRTE in ATT&CK adds threat-intelligence relevance for organizations tracking diplomatic, financial, military, legal, technology, Middle East, North Africa, or Europe exposure, but local prioritization should be based on actual business presence, telemetry, and risk appetite.
Technical view
SOC and IR teams should map AshTag coverage to the supplied Windows platform and related behaviors: masquerading or legitimate-name/location matching, encrypted or encoded files, deobfuscation, scheduled task persistence, WMI execution, JavaScript execution, process/system/file/local storage/location discovery, DLL abuse, delayed execution, web-protocol or web-service C2, ingress tool transfer, screen capture, and exfiltration over the C2 channel. Because ATT&CK provides no official detection text, validation should focus on whether existing endpoint, network, and identity/admin telemetry can correlate these behaviors rather than relying on a malware signature alone.
Likely telemetry
- Windows endpoint process creation and parent-child process relationships, especially .NET, script, WMI, and administrative utilities
- Scheduled task creation, modification, and execution events
- WMI activity and remote/local management execution evidence
- File creation, rename, path, hash, and metadata telemetry for masquerading, encoded files, DLLs, and VisualServer-like naming
- DLL load telemetry where available
Detection direction
- Validate correlation across persistence plus execution plus network egress; any single behavior may look administrative or benign.
- Tune for masquerading by comparing file names, paths, signatures, expected publishers, and known legitimate VisualServer deployments in the local environment.
- Review scheduled task and WMI detections for false positives from IT administration tools while preserving visibility into unusual users, hosts, timing, or command content.
- Look for encoded or encrypted payload artifacts followed by deobfuscation or execution, especially when paired with delayed execution or DLL abuse.
- Baseline web-service and web-protocol egress so unusual destinations, user agents, timing, volume, or host roles can be investigated without over-alerting on normal web traffic.
Mitigation priorities
- Confirm endpoint logging and retention are sufficient for Windows process, file, scheduled task, WMI, script, DLL, and network investigations.
- Apply least privilege and administrative access controls to reduce abuse of WMI, scheduled tasks, and remote command execution paths.
- Use application control, script control, and allowlisting where practical to limit untrusted .NET, JavaScript/JScript, DLL, and masqueraded utility execution.
- Harden egress controls and web-service governance so unmanaged systems cannot freely communicate with unapproved external services.
- Strengthen email/file handling controls and user resilience for malicious-file execution paths referenced by the related techniques.
Analyst notes and limits
ATT&CK identifies AshTag as a modular .NET backdoor used by WIRTE since at least 2025 and cites Unit 42 reporting. The most useful defensive interpretation is behavior-based: persistence, remote command execution, masquerading, discovery, collection, C2, tool transfer, and potential exfiltration behaviors should be tested against the organization’s actual Windows monitoring stack.
The supplied ATT&CK object has no official detection guidance, no malware tactics listed directly, and no aliases or labels. Relationship techniques provide behavioral context, but some related technique platform lists are broader than this malware object; this take therefore treats Windows as the supported platform for AshTag. Local software inventory, legitimate VisualServer use, network baselines, and log availability are required to assess real coverage.
AshTag
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1047 | Windows Management Instrumentation | |
| Enterprise | T1204.002 | Malicious File Sub-technique | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1102 | Web Service | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | |
| Enterprise | T1574.001 | DLL Sub-technique | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1059.007 | JavaScript Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1614 | System Location Discovery | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1680 | Local Storage Discovery | |
| Enterprise | T1678 | Delay Execution |
Groups, software, and campaigns
G0090: WIRTE
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1625cc9fcbc7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Ashen Lepus DEC 2025
Unit 42. (2025, December 11). Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite. Retrieved April 20, 2026.
Open source URL -
[2]
mitre-attack S9031Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.