Introduction
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets. Lab52 WIRTE Apr 2019 Kaspersky WIRTE November 2021 Check Point Wirte NOV 2024 Palo Alto Ashen Lepus DEC 2025
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1059.001 PowerShell
- T1571 Non-Standard Port
- T1059.005 Visual Basic
- T1114.001 Local Email Collection
- T1204.002 Malicious File
- T1608.001 Upload Malware
- T1140 Deobfuscate/Decode Files or Information
- T1566.001 Spearphishing Attachment
- T1059.003 Windows Command Shell
- T1204.001 Malicious Link
- T1036.005 Match Legitimate Resource Name or Location
- T1074.001 Local Data Staging
- T1588.002 Tool
- T1586.002 Email Accounts
- T1041 Exfiltration Over C2 Channel
- T1583.001 Domains
- T1071.001 Web Protocols
- T1574.001 DLL
- T1497.001 System Checks
- T1566.002 Spearphishing Link
- T1684.001 Impersonation
- T1106 Native API
- T1218.010 Regsvr32
- T1105 Ingress Tool Transfer
- T1027.015 Compression
- T1027.010 Command Obfuscation
ATT&CK technique IDs (denormalized)
- T1027.010
- T1027.015
- T1036.005
- T1041
- T1059.001
- T1059.003
- T1059.005
- T1071.001
- T1074.001
- T1105
- T1106
- T1114.001
- T1140
- T1204.001
- T1204.002
- T1218.010
- T1497.001
- T1566.001
- T1566.002
- T1571
- T1574.001
- T1583.001
- T1586.002
- T1588.002
- T1608.001
- T1684.001
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate
- Arabian-Attacker RAT
- Cyber Eye RAT
MITRE ATT&CK Software
- LitePower (S0680) β malware
- SameCoin (S9030) β malware
- Ferocious (S0679) β malware
- Empire (S0363) β tool
- IronWind (S9029) β malware
- Rclone (S1040) β tool
- Havoc (S1229) β malware
- AshTag (S9031) β malware
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [4] Check Point Wirte NOV 2024 Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026. [5] Lab52 WIRTE Apr 2019 S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. [6] Palo Alto Ashen Lepus DEC 2025 Unit 42. (2025, December 11). Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite. Retrieved April 20, 2026. [7] Kaspersky WIRTE November 2021 Yamout, M. (2021, November 29). WIRTEβs campaign in the Middle East βliving off the landβ since at least 2019. Retrieved February 1, 2022.