Moses Staff

Threat Actor Profile Updated 18 days ago
Download STIX
Preview STIX
Moses Staff, an Iranian Advanced Persistent Threat (APT) group, has emerged as a significant cybersecurity threat. The Cybereason Nocturnus Team has been monitoring the activities of this group since 2021, and it has been linked to several major ransomware-style attacks. Initially categorized as hacktivists, more in-depth analysis revealed that Moses Staff's operations are more sophisticated than typical hacktivist activities, posing a greater threat. Notably, they have deployed an undocumented Remote Access Trojan (RAT) named StrifeWater in the initial stages of their attacks, demonstrating a high level of technical expertise. The discovery of the StrifeWater RAT was facilitated by the analysis of a new variant of the PyDCrypt malware used by Moses Staff. This RAT is being used in targeted ransomware attacks and its deployment indicates a shift towards more advanced and persistent threats. The group's tactics include phishing attacks and remote exploitation, which align with the MITRE AT&CK Framework, a globally-accessible knowledge base of adversary tactics and techniques. Furthermore, Moses Staff's activities have shown overlaps with other known Iranian hacktivist groups, further complicating attribution efforts. Moses Staff has been implicated in several high-profile cyberattacks, including a claim to have hacked the Israeli Dorad power facility. However, these claims were found to be recycled from a previous breach announced in June 2022. The group has also been associated with other pro-Iranian government fronts like N3tW0rm and Agrius, indicating a coordinated effort among these entities. Additionally, the group has been connected to the Karma operation, a pro-Hamas hacktivist campaign deploying the BiBi-Linux Wiper malware against Israeli targets. Overall, the group's sophisticated tactics and persistent nature have led to its elevation from a hacktivist group to APT status.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Cobalt Sapling
1
Cobalt Sapling, an Iranian threat actor, has recently been identified as a significant cybersecurity risk. This entity was spotted targeting Saudi Arabia with a new persona called "Abraham's Ax," according to recent news reports. The threat actor is known for its malicious activities, which can rang
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Apt
Ransom
Malware
Encryption
Ransomware P...
Espionage
Encrypt
Source
State Sponso...
Wiper
Linux
Payload
Government
Phishing
Exploit
Trojan
Rat
Cybereason
Cybercrime
Windows
Reconnaissance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
StrifeWaterUnspecified
2
StrifeWater is a stealthy Remote Access Trojan (RAT) used in targeted ransomware attacks, primarily deployed by the Iranian APT group, Moses Staff. This malware has been identified as a key tool for initial infiltration and reconnaissance on compromised targets, with various capabilities including l
PyDCryptUnspecified
2
PyDCrypt is a malicious software (malware) variant deployed by the Moses Staff group, primarily targeting Israeli companies. The malware is written in Python and built with PyInstaller, designed to infect other computers on a network and execute the main payload, DCSrv. It is typically used in the l
DCSrvUnspecified
2
DCSrv is a variant of ransomware developed by the threat group known as Moses Staff. According to research conducted by the Cybereason Nocturnus team, DCSrv was discovered as part of the Moses Staff arsenal, alongside other tools such as PyDCrypt and StrifeWater. The malware disguises itself as the
BibiUnspecified
1
BiBi is a potent malware that has been deployed by a Pro-Hamas hacktivist group against Israeli targets. It's particularly destructive as it's designed to wipe data from the systems it infiltrates, causing direct damage and disruption. The use of this custom BiBi wiper in their operations underscore
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MoleratsUnspecified
1
Molerats, also known as Gaza Cybergang Group1, is a threat actor linked to Hamas that has been active for over a decade. This low-budget group has been tracked by researchers under various names including Molerats, Gaza Cybergang, Frankenstein, WIRTE, and Proofpoint’s TA402 designation. Among 16 Adv
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Abraham’s AxUnspecified
1
None
Source Document References
Information about the Moses Staff Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Recorded Future
18 days ago
Leaks and Revelations: A Web of IRGC Networks and Cyber Companies
DARKReading
4 months ago
Saudi Arabia, UAE Top List of APT-Targeted Nations in the Middle East
InfoSecurity-magazine
6 months ago
New Leaks Expose Web of Iranian Intelligence and Cyber Companies
Recorded Future
6 months ago
Leaks and Revelations: A Web of IRGC Networks and Cyber Companies
CERT-EU
8 months ago
Pennsylvania water facility hit by Iran-linked hackers
CERT-EU
8 months ago
Windows systems targeted by new BiBi wiper malware version
CERT-EU
8 months ago
Israel warns of BiBi wiper attacks targeting Linux and Windows
CERT-EU
8 months ago
New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks
Flashpoint
9 months ago
Cyber Escalation in Modern Conflict: Exploring Four Possible Phases of the Digital Battlefield
Securelist
9 months ago
A hack in hand is worth two in the bush
CERT-EU
9 months ago
A hack in hand is worth two in the bush
BankInfoSecurity
10 months ago
Israel-Hamas War: Publicity-Seeking Hacktivists Take Sides
MITRE
a year ago
StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations
MITRE
a year ago
PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage
CERT-EU
a year ago
Israel Faces Fresh Wave of Cyberattacks Targeting Critical Infrastructure