Researchers allege that a hacking group with ties to the Palestinian armed group Hamas used malware-laced documents to compromise government and diplomatic entities associated with Oman, Morocco, and the Palestinian Authority.

Palo Alto Networks’ Unit 42 published a report Thursday detailing a group identified as Ashen Lepus. According to a spokesperson speaking to Recorded Future News, the firm attributes the group to Hamas following years of monitoring its activities, which they said consistently align with Hamas’s strategic objectives.

According to Unit 42, the latest activity featured a new malware variant known as AshTag that was used to exfiltrate information from critical targets throughout the Middle East. The report noted that since 2020, Ashen Lepus has steadily increased its level of sophistication, adopting more advanced tactics such as infrastructure obfuscation along with other newly developed tools.

Typically, the malware is delivered through authentic documents referencing Turkey’s role in matters involving Palestinian entities. Even as other Hamas-linked threat operations have tapered off amid the Israel–Hamas conflict, Ashen Lepus has continued its activity without interruption, persisting beyond the October 2025 ceasefire.

AshTag is a long-running malware strain that remained active in attacks after the Gaza ceasefire was announced in October. According to Unit 42, investigators detected direct, hands-on activity in some victim environments after the ceasefire. The malware gives hackers the ability to steal files, download material to victim systems, and perform further malicious actions. 

In the most recent campaign, attackers used documents highlighting Turkey’s ties to Palestinian political entities. Researchers noted that this shift suggests Turkish entities could now be a new focus of operational activity.

Attackers used lure documents titled around Morocco–Turkey partnerships, Turkish defense programs, Hamas operations in Syria, and Palestinian government initiatives. The campaign begins with an infected PDF decoy file that prompts victims to download a RAR archive housing the malicious payload.

To strengthen operational security, the group has made several adjustments, employing different tactics that allow its activity to more closely resemble normal, benign network behavior.

After gaining initial access through malware, the group performed hands-on-keyboard data theft in multiple cases. Unit 42 reported one instance in which the attackers downloaded documents straight from a victim’s email account, focusing on acquiring specific documents tied to diplomatic matters.

“Ashen Lepus remains a persistent espionage actor, demonstrating a clear intent to continue its operations throughout the recent regional conflict — unlike other affiliated threat groups, whose activity significantly decreased,” the researchers said.

“The threat actors’ activities throughout the last two years in particular highlight their commitment to constant intelligence collection.”