Skip to main content

WIRTE

Repository Navigation

  • Actor workbench: WIRTE
  • TTP-to-detection matrix: all mapped techniques
  • Surface and capability routes: Endpoint RMM, Scripting, And User-Path Execution
  • Detection status: dashboard
  • Hunt workflow: hunt workflow
  • ATT&CK mappings: T1566 Phishing (M2); T1574.001 DLL Search Order Hijacking (M3); T1485 Data Destruction (M2); T1105 Ingress Tool Transfer (M3); T1567.002 Exfiltration to Cloud Storage (M3)
  • Mapped detections: DET-001 Intune Bulk Device Wipe Anomaly (Hunt, DRL-5); DET-004 Mail Click To Execution Correlation (Hunt, DRL-4)
  • Mapped hunts: HUNT-001 If identity-plane destructive tradecraft is attempted then privileged role activation or bulk device actions will appear in audit logs; HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
  • IOC reference sources: SRC-CP-WIRTE-2024 Wiper references; trusted sender abuse; fake update artifacts; SRC-UNIT42-ASHTAG-2025 Malware hashes; domains; C2 paths; tool behavior
  • Tool detail pages: SameCoin; AshTag
  • Tool matrix: all actor-linked tools (2 mapped tool row(s))
  • Evidence records: EVD-010 / CLM-WIRTE-001
  • Imported research intakes: None currently mapped.
  • Intel update candidates: 1 current candidate(s)
  • Source IDs in structured data: SRC-CP-WIRTE-2024, SRC-UNIT42-ASHTAG-2025

Aliases: Ashen Lepus; Gaza Cybergang-linked reporting.

Assessed sponsor: Hamas-affiliated in Check Point public reporting.

Relevance

WIRTE is high priority for Israeli public-sector defenders because Check Point reported expansion from espionage into disruptive activity against Israeli entities, including SameCoin-linked wiper activity.

Defensive Focus

  • Trusted sender abuse.
  • Fake security or vendor update lures.
  • Archive-to-execution chains.
  • DLL sideloading.
  • Wiper-preparation behavior.

Detection Ideas

  • Signed installer execution from archive or user download paths followed by same-directory DLL loads.
  • Inbound mail from trusted regional senders that suddenly includes archives, XLL/PPAM files, or update-themed links.
  • Fake ESET/Kaspersky/reseller update filenames.

Sources: SRC-CP-WIRTE-2024, SRC-PROOFPOINT-TA402-IRONWIND, SRC-UNIT42-ASHTAG-2025, SRC-S1-ISRAEL-HAMAS-CYBER-2023.