1. Home
  2. Software
  3. AshTag

AshTag

AshTag is a modular .NET backdoor with multiple features that has been used by WIRTE since at least 2025. AshTag is designed for persistence and remote command execution and can masquerade as a legitimate VisualServer utility.[1]

ID: S9031
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 20 April 2026
Last Modified: 20 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

AshTag can use HTTP to send and receive data from C2.[1]
Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

AshTag can use JSON files to deliver payloads and configuration files.[1]
Enterprise T1678 Delay Execution

AshTag can use a set sleep time to delay C2 beaconing.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

The AshTag stager compoment can decode and decrypt Base64 and XOR-encrypted payloads.[1]
Enterprise T1041 Exfiltration Over C2 Channel

AshTag has exfiltrated reconnaissance data on targeted systems to C2 servers.[1]
Enterprise T1083 File and Directory Discovery

The AshTag AshenOrchestrator component can enumerate files on victim hosts.[1]
Enterprise T1574 .001 Hijack Execution Flow: DLL

AshTag has enabled execution via DLL sideloading using a legitimate executable paired with a malicious DLL named wtsapi32.[1]
Enterprise T1105 Ingress Tool Transfer

The AshTag stager component can retrieve and execute the main payload.[1]
Enterprise T1680 Local Storage Discovery

AshTag can use volumeserialnumber to enumerate volumes.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

AshTag has masqueraded as a legitimate VisualServer utility.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

The AshTag AshenOrchestrator component payload as been Base64 encoded and embedded with HTML content from the C2 server.[1]
Enterprise T1057 Process Discovery

The AshTag AshenOrchestrator component has process management functionality.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

AshTag can set persistence using scheduled tasks.[1]
Enterprise T1113 Screen Capture

The AshTag AshenOrchestrator component has the ability to take screenshots.[1]
Enterprise T1082 System Information Discovery

The AshTag loader and AshenOrchestrator components can collect reconnaissance data from victim machines.[1]
Enterprise T1614 System Location Discovery

AshTag can check geolocation on targeted systems.[1]
Enterprise T1204 .002 User Execution: Malicious File

AshTag has been executed through victims downloading and opening malicious RAR archive files.[1]
Enterprise T1102 Web Service

AshTag can download malicious payloads from file sharing services.[1]
Enterprise T1047 Windows Management Instrumentation

AshTag can use a .NET program to execute WMI queries and send unique victim IDs to C2.[1]

Groups That Use This Software

ID Name References
G0090 WIRTE

[1]

References

  1. Unit 42. (2025, December 11). Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite. Retrieved April 20, 2026.