1. Home
  2. Groups
  3. WIRTE

WIRTE

WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]

ID: G0090
Associated Groups: Ashen Lepus
Contributors: Lab52 by S2 Grupo
Version: 3.0
Created: 24 May 2019
Last Modified: 23 April 2026
Version Permalink

Associated Group Descriptions

Name Description
Ashen Lepus

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

WIRTE has registered domains designed to mimic legitimate sites for use in phishing campaigns.[3][4]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WIRTE has used HTTP for network communication.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

WIRTE has used PowerShell for script execution.[1]
.003 Command and Scripting Interpreter: Windows Command Shell

WIRTE has used the Windows command line as part of infection chains to open documents.[3]
.005 Command and Scripting Interpreter: Visual Basic

WIRTE has used VBScript in its operations.[1]

Enterprise T1586 .002 Compromise Accounts: Email Accounts

WIRTE has used compromised emails, including one belonging to an Israel-based technology reseller, to deliver targeted spearphishing messages.[3]
Enterprise T1074 .001 Data Staged: Local Data Staging

WIRTE has staged collected documents of interest in C:\Users\Public folder.[4]
Enterprise T1140 Deobfuscate/Decode Files or Information

WIRTE has used Base64 to decode malicious VBS script.[1]
Enterprise T1114 .001 Email Collection: Local Email Collection

WIRTE has collected documents from victims' email accounts.[4]
Enterprise T1041 Exfiltration Over C2 Channel

WIRTE has exfiltrated collected victim data to C2 infrastructure.[4]
Enterprise T1574 .001 Hijack Execution Flow: DLL

WIRTE has used RAR archives containing a legitimate executable and a lure document to execute malicious DLLs via sideloading.[3]
Enterprise T1105 Ingress Tool Transfer

WIRTE has downloaded PowerShell code from the C2 server to be executed.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

WIRTE has used security service provider naming conventions such as ESET and Kasperky ("Kaspersky Update Agent") in order to appear legitimate.[2][3]
Enterprise T1106 Native API

WIRTE has used the RtlIpv4StringToAddressA to convert IP-formatted string to a byte array.[3]
Enterprise T1571 Non-Standard Port

WIRTE has used HTTPS over ports 2083 and 2087 for C2.[2]
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

WIRTE has XOR encrypted command line strings to conceal malware execution chains.[3]
.015 Obfuscated Files or Information: Compression

WIRTE has compressed malicious files within RAR and ZIP archives for obfuscation. [3][4]
Enterprise T1588 .002 Obtain Capabilities: Tool

WIRTE has obtained and used Empire and Rclone for post-exploitation activities.[1][4]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

WIRTE has sent emails to intended victims with malicious MS Word and Excel attachments.[2]
.002 Phishing: Spearphishing Link

WIRTE has sent targeted spearphishing emails with malicious links directing victims to malware downloads.[3]
Enterprise T1684 .001 Social Engineering: Impersonation

WIRTE has used utilized look-alike domains and graphics of trusted security solution providers to entice victims to click on phishing links.[3]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

WIRTE has directed victims to malicious payloads staged on file sharing services.[4]
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

WIRTE has used regsvr32.exe to trigger the execution of a malicious script.[1]
Enterprise T1204 .001 User Execution: Malicious Link

WIRTE has used links embedded in emails to lure users into downloading malicious files.[3]
.002 User Execution: Malicious File

WIRTE has attempted to lure users into opening malicious documents including MS Word and Excel files, at times using a decoy document to encourage execution of malicious payloads.[2][3][4]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

WIRTE has configured C2 servers to check location and user-agent strings for victim endpoints to prevent sending a payload to sandboxed environments.[4]

Software

ID Name References Techniques
S9031 AshTag [4] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: JavaScript, Delay Execution, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, File and Directory Discovery, Hijack Execution Flow: DLL, Ingress Tool Transfer, Local Storage Discovery, Masquerading: Match Legitimate Resource Name or Location, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Location Discovery, User Execution: Malicious File, Web Service, Windows Management Instrumentation
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Keychain, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0679 Ferocious [2] Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Event Triggered Execution: Component Object Model Hijacking, Indicator Removal: File Deletion, Modify Registry, Peripheral Device Discovery, Software Discovery: Security Software Discovery, System Information Discovery, Virtualization/Sandbox Evasion: System Checks
S1229 Havoc WIRTE has used Havoc to maintain access and to facilitate C2.[3] Access Token Manipulation: Token Impersonation/Theft, Account Discovery, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data from Local System, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hijack Execution Flow: DLL, Ingress Tool Transfer, Inter-Process Communication, Lateral Tool Transfer, Native API, Obfuscated Files or Information: Command Obfuscation, Phishing: Spearphishing Link, Process Discovery, Process Injection: Portable Executable Injection, Process Injection: Dynamic-link Library Injection, Proxy, Remote System Discovery, Screen Capture, System Information Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Network Configuration Discovery, System Owner/User Discovery, User Execution: Malicious Copy and Paste, User Execution: Malicious File, Virtualization/Sandbox Evasion: Time Based Checks
S9029 IronWind [3] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL, Indicator Removal, Obfuscated Files or Information: Command Obfuscation, Software Discovery, System Information Discovery, System Owner/User Discovery
S0680 LitePower [2] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Exfiltration Over C2 Channel, Ingress Tool Transfer, Local Storage Discovery, Native API, Query Registry, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery
S1040 Rclone WIRTE has used Rclone for document exfiltration.[4] Archive Collected Data: Archive via Utility, Data Transfer Size Limits, Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery
S9030 SameCoin [3] Data Destruction, Data Destruction, Defacement: Internal Defacement, File and Directory Discovery, File and Directory Discovery, Internal Spearphishing, Lateral Tool Transfer, Masquerading: Match Legitimate Resource Name or Location, Scheduled Task/Job: Scheduled Task, Selective Exclusion, System Location Discovery

References

  1. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  2. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  1. Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.
  2. Unit 42. (2025, December 11). Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite. Retrieved April 20, 2026.