Full Report
Ashen Lepus remained persistently active throughout the Israel-Hamas conflict, distinguishing it from other affiliated groups whose activities decreased over the same period. Ashen Lepus continued with its campaign even after the October 2025 Gaza ceasefire, deploying newly developed malware variants and engaging in hands-on activity within victim environments. This campaign highlights a tangible evolution in…
Analysis Summary
# Threat Actor: Ashen Lepus
## Attribution & Identity
Hamas-affiliated threat actor.
## Activity Summary
Ashen Lepus demonstrated persistent activity throughout the Israel-Hamas conflict, unlike other affiliated groups whose activity declined in the same period. The group maintained its campaign even after the October 2025 Gaza ceasefire. They were observed deploying newly developed malware variants and engaging in hands-on activity within victim environments, indicating an evolution in operational security and TTPs, with recent adoption of more advanced tactics compared to their historically moderate sophistication.
## Tactics, Techniques & Procedures
- Deploying newly developed malware variants.
- Engaging in hands-on activity within victim environments.
- Adoption of more advanced tactics (evolution in operational security and TTPs).
## Targeting
- Sectors: Diplomatic entities.
- Geography: Middle Eastern region (implied by targeting diplomatic entities).
- Victims: Middle Eastern diplomatic entities.
## Tools & Infrastructure
- Malware families used: AshTag malware suite (newly developed).
- Infrastructure (C2, domains, IPs): Not explicitly detailed in the provided context.
## Implications
Ashen Lepus represents a persistent and potentially evolving threat within the Hamas-affiliated ecosystem. Its continued operations and deployment of new malware post-ceasefire suggest high intent or dedicated resources, potentially moving beyond baseline affiliated group activity towards more sophisticated compromises.
## Mitigations
- Monitor for indicators related to the AshTag malware suite.
- Review environments for evidence of hands-on keyboard activity indicative of persistent adversary presence.
- Increase scrutiny of the operational security posture, assuming evolving adversary tactics.