Moses Staff

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Moses Staff, an Iranian Advanced Persistent Threat (APT) group, has emerged as a significant cybersecurity concern. The group, initially categorized as hacktivists, has been elevated to APT status due to its sophisticated and persistent cyberattacks. The Cybereason Nocturnus Team has tracked Moses Staff since 2021, noting that their operations are more advanced than typical hacktivist activities. This threat actor primarily uses phishing attacks and remote exploitation as initial vectors for their operations, aligning with the MITRE AT&CK Framework's common tactics among APT groups in the Middle East. The group's use of the StrifeWater Remote Access Trojan (RAT) and PyDCrypt malware has drawn particular attention. The StrifeWater RAT, discovered by Cybereason researchers during their monitoring of Moses Staff, is used in the initial stages of their targeted ransomware attacks. Moreover, a new variant of the PyDCrypt malware linked to Moses Staff was identified through further analysis, providing key insights into the group's evolving tactics and tools. Moses Staff has been associated with major ransomware-style attacks, often conducted by pro-Iranian government fronts like N3tW0rm and Agrius. Notably, they claimed responsibility for a breach at the Israeli Dorad power facility, which was later found to be a reiteration of a previous attack from June 2022. Furthermore, overlaps have been observed between Moses Staff and other hacktivist groups such as Karma, suggesting a broader network of malicious actors operating in concert. These findings underscore the escalating threat posed by Moses Staff and the critical need for robust defenses against their increasingly complex cyberattacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Apt
Ransom
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DCSrvUnspecified
2
DCSrv is a variant of ransomware developed by the threat group known as Moses Staff. According to research conducted by the Cybereason Nocturnus team, DCSrv was discovered as part of the Moses Staff arsenal, alongside other tools such as PyDCrypt and StrifeWater. The malware disguises itself as the
PyDCryptUnspecified
2
PyDCrypt is a malicious software (malware) variant deployed by the Moses Staff group, primarily targeting Israeli companies. The malware is written in Python and built with PyInstaller, designed to infect other computers on a network and execute the main payload, DCSrv. It is typically used in the l
StrifeWaterUnspecified
2
StrifeWater is a stealthy Remote Access Trojan (RAT) used in targeted ransomware attacks, primarily deployed by the Iranian APT group, Moses Staff. This malware has been identified as a key tool for initial infiltration and reconnaissance on compromised targets, with various capabilities including l
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Moses Staff Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Flashpoint
6 months ago
Cyber Escalation in Modern Conflict: Exploring Four Possible Phases of the Digital Battlefield
BankInfoSecurity
7 months ago
Israel-Hamas War: Publicity-Seeking Hacktivists Take Sides
Securelist
7 months ago
A hack in hand is worth two in the bush
CERT-EU
6 months ago
New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks
InfoSecurity-magazine
4 months ago
New Leaks Expose Web of Iranian Intelligence and Cyber Companies
CERT-EU
a year ago
Israel Faces Fresh Wave of Cyberattacks Targeting Critical Infrastructure
CERT-EU
6 months ago
Windows systems targeted by new BiBi wiper malware version
Recorded Future
4 months ago
Leaks and Revelations: A Web of IRGC Networks and Cyber Companies
CERT-EU
6 months ago
Israel warns of BiBi wiper attacks targeting Linux and Windows
CERT-EU
6 months ago
Pennsylvania water facility hit by Iran-linked hackers
CERT-EU
7 months ago
A hack in hand is worth two in the bush
MITRE
a year ago
PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage
MITRE
a year ago
StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations
DARKReading
2 months ago
Saudi Arabia, UAE Top List of APT-Targeted Nations in the Middle East