Overview
- Palo Alto Networks reports the actor remained unusually active through the Israel–Hamas war and continued operations after the October 2025 ceasefire.
- The infection flow uses a PDF decoy and RAR archive to trigger DLL sideloading that launches AshenLoader, fetches AshenStager, and runs the modular .NET backdoor AshTag entirely in memory.
- AshTag’s modules enable persistence, file management, system profiling, updates or removal, and screen capture while masquerading as a legitimate utility.
- Command-and-control has shifted to API and auth-themed subdomains on legitimate-looking hostnames with geofencing, User-Agent checks, and HTML-embedded payloads to thwart automated analysis.
- Targeting now includes Oman and Morocco with increased Turkey-themed lures, and investigators observed hands-on theft of diplomacy-related documents exfiltrated with Rclone from victim email accounts.