analyst@nohacky:~/threat-actors$
cat/threat-actors/moses-staff
analyst@nohacky:~/moses-staff.html
active threatprofile
typeNation-State
threat_levelHigh
statusActive
originIran — IRGC-linked
mitreG1009
last_updated2026-03-27
MS
moses-staff

Moses Staff

also tracked as: Cobalt Sapling Marigold Sandstorm DEV-0500 linked persona: Abraham's Ax mitre: G1009

An Iranian state-linked group operating under a pro-Palestinian hacktivist persona — but assessed by SecureWorks and others as an inauthentic front for IRGC cyber operations. Moses Staff conducts multi-stage attacks: espionage with StrifeWater RAT (which removes itself before the final stage), followed by data exfiltration, then deployment of DCSrv cryptographic wiper disguised as ransomware — but with no ransom demand and no decryption key offered. The encryption is sabotage, not extortion. Damage is the objective. First observed targeting Israeli organizations in September 2021, the group has since expanded targeting to Italy, India, Germany, Chile, Turkey, the UAE, and the United States, consistent with IRGC intelligence and disruption priorities.

attributed originIran — IRGC (assessed, SecureWorks/Mandiant)
mitre group idG1009 (Moses Staff)
first observedSeptember 2021 (public October 2021)
primary motivationPolitical sabotage + espionage — no financial motive
defining characteristicNo ransom demand — DCSrv wiper deployed to destroy, not extort
Attack chain: StrifeWater RAT → exfil → DCSrv wiper
primary targetsIsrael — government, finance, energy, manufacturing, travel
initial accessProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
current statusACTIVE — continued operations post-October 2023

Overview

Moses Staff emerged publicly in October 2021 when Check Point Research published the first detailed technical analysis of the group's operations against Israeli organizations. The group had been active since at least September 2021 and had already compromised a number of Israeli targets before the public disclosure. Its stated mission — published on its own website and Telegram channels — was to damage Israeli companies, expose sensitive data, and advance pro-Palestinian political goals. The framing as a hacktivist collective is deliberate and serves the Iranian state's consistent pattern of using front groups and manufactured personas to conduct offensive cyber operations while maintaining plausible deniability.

SecureWorks, which tracks Moses Staff as Cobalt Sapling, assessed the group as an inauthentic IRGC front — a conclusion supported by the technical sophistication of its tooling (which exceeds what independent hacktivist collectives typically develop), the strategic alignment of its targeting with Iranian geopolitical interests, and Iran's well-documented history of using proxy and front-group personas for offensive cyber operations. Microsoft tracks the group as DEV-0500 and later Marigold Sandstorm.

The group's attack model is its most analytically significant feature. Moses Staff conducts genuine multi-stage intrusions with a clear separation between phases: initial access and reconnaissance, intelligence collection, and then a destructive final stage that is designed to look like ransomware but functions as a wiper. The StrifeWater RAT handles the espionage phase — collecting files, executing commands, taking screenshots, and mapping the victim environment. Critically, StrifeWater removes itself from the compromised system before the final destructive phase begins, eliminating forensic evidence of the reconnaissance period and making it appear as if the attack was purely destructive rather than a combined espionage-sabotage operation.

The final stage deploys DCSrv — a weaponized version of the open-source DiskCryptor tool — to encrypt the victim's disk at the sector level. Unlike ransomware, no ransom demand accompanies the encryption, no decryption key is provided or offered, and no payment channel is established. The encryption is the endpoint. Recovery requires restoring from backup. The data exfiltrated during the espionage phase is then published publicly via the group's Telegram channels and leak site, adding reputational damage to operational disruption.

In November 2022, SecureWorks linked Moses Staff to a then-new persona called Abraham's Ax, which had appeared claiming to have hacked Saudi Arabia's Ministry of Interior. The linkage was based on strong similarities in iconography, videography, and leak site design between the two personas. This connection extended Moses Staff's operational reach to Saudi targets while the original persona continued operating — a model consistent with Iran's documented use of multiple simultaneous front groups against different adversaries.

Target Profile

Israel is the primary and explicit target of Moses Staff's stated mission. The group's expansion to other countries reflects broader IRGC intelligence requirements and geopolitical relationships.

  • Israel — All Sectors (primary): Government agencies, finance organizations, travel companies, energy sector, manufacturing firms, and utilities infrastructure have all been targeted in documented Moses Staff campaigns. The group's stated goal — to harm Israeli companies and expose sensitive data — drives indiscriminate sector coverage within Israel. Documented Israeli victims include organizations in defense-adjacent sectors, with reports of claimed access to Rafael defense firm data (though the sensitivity of what was actually accessed remains disputed).
  • Regional and Global Secondary Targets: MITRE ATT&CK documents confirmed Moses Staff victims in Italy, India, Germany, Chile, Turkey, the UAE, and the United States — countries with connections to Israeli interests or positioned as secondary IRGC intelligence collection targets. The UAE appears to reflect post-Abraham Accords normalization interest. The US targeting aligns with IRGC's standing intelligence requirements against American organizations.
  • Saudi Arabia (via Abraham's Ax persona): The November 2022 Abraham's Ax claims against Saudi Arabia's Ministry of Interior — linked by SecureWorks to Moses Staff — reflected Iranian intelligence interest in the Saudi government and security apparatus. The use of a separate persona for Saudi targeting while the Moses Staff persona focused on Israel illustrates the deliberate geographic persona management practiced by IRGC front operations.
  • CCTV and Physical Surveillance Infrastructure: In late November 2022, Moses Staff claimed compromise of a CCTV system monitoring the site of a terrorist attack in Israel — a targeting category that reflects information collection about specific physical security infrastructure rather than conventional IT targets, consistent with intelligence service priorities.

Tactics, Techniques & Procedures

Moses Staff's attack chain is methodically structured into distinct phases that serve different operational objectives. The phases are deliberately separated to protect the espionage phase from forensic discovery when the destructive phase is executed.

mitre idtechniquedescription
T1190 Exploit Public-Facing Application — ProxyShell The documented initial access vector for Moses Staff campaigns is the ProxyShell vulnerability chain in on-premises Microsoft Exchange Server — specifically CVE-2021-34473 (pre-auth path confusion leading to ACL bypass), CVE-2021-34523 (elevation of privileges on Exchange PowerShell backend), and CVE-2021-31207 (post-auth arbitrary file write leading to RCE). This three-CVE chain allows unauthenticated remote code execution against unpatched Exchange installations. The group also uses Vatet Loader, Metasploit, and Cobalt Strike for post-exploitation access and lateral movement.
T1505.003 Web Shell Deployment After ProxyShell exploitation, Moses Staff deploys two web shells on the compromised Exchange server, providing persistent command execution capability. Web shells are placed in accessible Exchange web directories for ongoing access. The initial attack path documented by The Hacker News showed web shell deployment immediately following ProxyShell exploitation, followed by exfiltration of Outlook Data Files (.PST) from the Exchange server.
T1003.001 OS Credential Dumping — LSASS Memory Following initial access and web shell deployment, Moses Staff dumps the memory contents of LSASS (Local Security Authority Subsystem Service) to harvest credentials. The dumped credentials enable lateral movement using valid accounts across the target environment without triggering pass-the-hash detection. This credential collection is the prerequisite for the PyDCrypt payload, which requires hardcoded admin credentials and a machine list — information gathered during this credential and network reconnaissance phase.
T1105 / T1059 StrifeWater RAT — Covert Reconnaissance Phase StrifeWater is deployed as the first-stage implant under the filename calc.exe — masquerading as the Windows Calculator executable. Capabilities include listing system files and directories, executing system commands, taking screen captures, creating persistence, and downloading additional modules. The original Windows Calculator binary is copied to the deployment folder, and StrifeWater is installed in its place. When StrifeWater is no longer needed, it deletes itself and restores the original calc.exe — covering evidence of the reconnaissance phase before the destructive stage begins. The StrifeWater implant is installed via a loader called DriveGuard (drvguard.exe), which masquerades as a "Hard Disk Drives Fast Stop Service." A watchdog component (lic.dll) ensures DriveGuard's service is never interrupted by restarting it if terminated.
T1567 Exfiltration — Public Data Leak Sensitive data collected during the reconnaissance and espionage phase is exfiltrated to attacker-controlled infrastructure and subsequently published on Moses Staff's Telegram channel and dedicated leak website. Exfiltrated data includes internal documents, employee information, and material presented as evidence of organizational hypocrisy or security negligence. The public data leak serves as the second pressure mechanism alongside the disk encryption — organizations face both operational disruption and reputational exposure simultaneously.
T1485 Data Destruction — DCSrv Disk Wiper DCSrv is a weaponized version of DiskCryptor — a legitimate, open-source full-disk encryption tool. Moses Staff adapted DiskCryptor to encrypt victim systems at the sector level without providing decryption capability to victims. Full disk encryption via DCSrv makes even system recovery complicated — rebooting an encrypted machine results in an unresponsive system that cannot boot the operating system. No ransom demand, no payment channel, and no decryption key are provided. This definitively distinguishes DCSrv from financially motivated ransomware and confirms its function as a destructive wiper with encryption as its mechanism rather than its leverage.
T1486 PyDCrypt — Custom Lateral Spread Payload PyDCrypt is a Python-based malware loader that spreads the DCSrv payload to other machines on the target network. Critically, each victim receives a custom-built PyDCrypt sample with hardcoded parameters: admin username and password, a domain name, and a machine list. These hardcoded parameters can only be known after sufficient network reconnaissance has been completed — meaning PyDCrypt is only ever deployed as a late-stage payload after the environment has been thoroughly mapped. The presence of PyDCrypt in a system is therefore an indicator that significant prior access and reconnaissance has already occurred.
no ransom — ransomware playbooks do not apply

Moses Staff's use of DCSrv looks like ransomware in every technical respect — disk encryption, encrypted system, inaccessible data. But there is no ransom demand, no payment channel, and no decryption key. This means standard ransomware incident response playbooks — negotiate, assess payment, acquire decryptor — are entirely inapplicable. The only path to recovery is restoration from clean, offline backup. Organizations in Moses Staff's target geography that apply ransomware response procedures when they encounter DCSrv will waste critical recovery time that does not exist. The encryption is the damage. Planning must account for wiper scenarios as distinct from extortion scenarios.

Known Campaigns

Moses Staff's documented public campaign history spans from September 2021 through at least late 2022, with confirmed continued activity following the October 2023 Israel-Hamas conflict escalation.

Initial Israeli Targeting — Public Launch September–October 2021

Moses Staff first compromised Israeli organizations in September 2021 and went public in October 2021 when Check Point Research published the first detailed analysis of its TTPs. The initial disclosure covered the group's use of ProxyShell for initial access, web shell deployment, DCSrv disk encryption, and PyDCrypt lateral spread payload — but did not yet identify StrifeWater as the reconnaissance stage RAT. The group actively claimed attacks on its website and Telegram channel, framing the operations as pro-Palestinian resistance and publishing stolen data alongside encrypted victim notifications.

StrifeWater RAT Discovery — Missing Espionage Link Identified February 2022

Cybereason published research identifying StrifeWater — a previously unknown RAT that had been present in Moses Staff attacks for months without detection. The discovery explained the "missing link" between initial access and PyDCrypt deployment: StrifeWater was conducting the reconnaissance phase, mapping the network, harvesting credentials, and collecting sensitive files, then removing itself before the destructive stage. This self-removal behavior was identified as deliberate anti-forensics — by the time incident responders began examining a DCSrv-encrypted system, StrifeWater was gone, making the attack appear to have begun directly with destructive encryption rather than a prior espionage phase. Cybereason's analysis also documented StrifeWater's deployment as calc.exe, the DriveGuard loader, and the lic.dll watchdog component.

Rafael Defense Firm — Claimed Access Early 2022

Moses Staff claimed to have accessed data from Rafael Advanced Defense Systems — an Israeli defense firm involved in the production of the Iron Dome missile defense system among other weapons systems. Israeli media reported the claim, with analysis suggesting the accessed material may have been non-classified administrative data that the group attempted to present as more sensitive than it actually was. Whether genuinely sensitive defense materials were accessed was disputed, but the claim was consistent with Moses Staff's strategy of maximizing psychological impact through public claims of high-profile access regardless of the actual sensitivity of exfiltrated data.

Abraham's Ax — Saudi Ministry of Interior Claim November 2022

A new persona called Abraham's Ax appeared in November 2022, claiming to have hacked Saudi Arabia's Ministry of Interior and publishing sample files. SecureWorks' Counter Threat Unit published research identifying several commonalities across the iconography, videography, and leak site design between Moses Staff and Abraham's Ax, assessing that the two personas were likely operated by the same entity — consistent with Iran's documented practice of using multiple simultaneously operating front groups against different adversaries. Moses Staff continued its own operations in parallel, claiming CCTV compromise at an Israeli attack site in the same period.

Post-October 2023 Escalation October 2023 onward

Following the Hamas attack on Israel on October 7, 2023, and the subsequent Israeli military response in Gaza, Iranian-linked threat actors — including Moses Staff — significantly increased their operational tempo against Israeli and US targets. Trellix documented notable surges in Iranian APT activity against Israeli entities beginning October 2023, with a temporary reduction during ceasefire discussions in late November and December 2023 and a resurgence in January 2024. Moses Staff's continued active status within the broader IRGC cyber operational ecosystem through this period is consistent with its role as a persistent disruption capability against Israeli organizations.

Tools & Malware

Moses Staff's toolchain is structured to serve the two distinct objectives of its attack model: covert intelligence collection and overt destructive disruption.

  • StrifeWater RAT (broker.exe / calc.exe): The covert reconnaissance and foothold tool. Deployed as calc.exe — masquerading as the Windows Calculator executable — to avoid casual detection. Installed via the DriveGuard loader (drvguard.exe), which presents itself as a "Hard Disk Drives Fast Stop Service." A watchdog component (lic.dll) monitors DriveGuard's service and restarts it if terminated, ensuring persistence even if an administrator notices and stops the process. Capabilities include file listing, command execution, screen capture, persistence management, and module downloading. Designed to self-delete before the destructive phase begins, eliminating forensic evidence of the reconnaissance period and covering the group's tracks.
  • PyDCrypt: A Python-based malware loader compiled with PyInstaller. Its sole function is to propagate the DCSrv wiper payload to additional machines on the target network using hardcoded administrative credentials, a hardcoded domain name, and a hardcoded machine list — parameters that can only be known after thorough network reconnaissance has already occurred. A new PyDCrypt binary is custom-built for each targeted organization, incorporating that organization's specific credentials and network topology. The presence of PyDCrypt indicates a late-stage, post-reconnaissance attack — the compromise has been established for some time before PyDCrypt is deployed.
  • DCSrv — Cryptographic Disk Wiper: A weaponized version of DiskCryptor, the open-source full-disk encryption tool. DCSrv encrypts the victim's disk at the sector level — below the operating system, rendering the entire disk unreadable. Rebooting a DCSrv-encrypted machine produces an unresponsive system that cannot load the operating system. No ransom demand, decryption key, or payment channel is associated with DCSrv deployment. It is a pure wiper — recovery requires restoring from clean offline backup.
  • Vatet Loader / Metasploit / Cobalt Strike: Third-party offensive frameworks used by Moses Staff for post-exploitation access and lateral movement following initial ProxyShell exploitation. Their use alongside Moses Staff's custom tooling reflects a pragmatic combination of available commodity offensive tooling with purpose-built destructive capability.
  • Custom Backdoors and Web Shells: Following ProxyShell initial access, Moses Staff deploys web shells and custom backdoor tools that provide RAT-like functionality for lateral discovery, payload delivery, and subsequent execution within the target environment. These web shells provide redundant access channels that survive even if the StrifeWater RAT is detected and removed.

Indicators of Compromise

Moses Staff's IOCs are most useful for identifying the reconnaissance and delivery phases before the destructive DCSrv stage begins — once DCSrv has encrypted a system, detection serves forensic rather than preventive purposes.

strifewater rat — process and file indicators
filenamecalc.exe running from non-System32 path (e.g., C:\Users\Public\) — StrifeWater masquerade
loaderdrvguard.exe — DriveGuard loader presenting as "Hard Disk Drives Fast Stop Service"
watchdoglic.dll — service watchdog that restarts drvguard.exe if terminated
deploy pathC:\Users\Public — group's preferred directory for tool deployment
behaviorcalc.exe missing from C:\Windows\System32 — original overwritten or removed during cleanup
pydcrypt and dcSrv indicators
behaviorPyInstaller-compiled Python executable with hardcoded admin credentials, domain, and machine list
behaviorDiskCryptor driver installation preceding sector-level disk encryption
behaviorSystem reboots to unresponsive/locked state — no OS loaded post-encryption
indicatorNo ransom note, no payment address, no decryption offer — wiper, not ransomware
exploitCVE-2021-34473, CVE-2021-34523, CVE-2021-31207 — ProxyShell Exchange RCE chain (initial access)
pst theftOutlook Data Files (.PST) exfiltrated from Exchange server immediately following web shell deployment

Mitigation & Defense

Moses Staff's entry point is documented and patchable. Its destructive phase is survivable only with appropriate backup architecture. The gap between the two — the StrifeWater reconnaissance period — is where detection is possible but challenging given StrifeWater's self-removal behavior.

  • Patch ProxyShell immediately on all on-premises Exchange servers: The ProxyShell CVE chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) has been patched since 2021, yet Moses Staff was using it as its primary initial access vector through at least the 2022 campaigns. Any on-premises Exchange 2013, 2016, or 2019 server without these patches applied is directly exposed. Microsoft also released the option to migrate to Exchange Online — organizations that cannot maintain aggressive patching cadences for on-premises Exchange should consider this migration as a risk-reduction measure.
  • Maintain offline, immutable backups tested for full system recovery: DCSrv provides no recovery path except backup restoration. Backups must be: offline (not reachable from the compromised network at time of attack), immutable (cannot be modified or deleted by the compromised environment), tested regularly for successful full system restoration, and retained for a period long enough that the backup predates the initial StrifeWater compromise — which may have occurred weeks or months before DCSrv deployment.
  • Alert on calc.exe executing from non-system directories: StrifeWater is deployed as calc.exe in C:\Users\Public and other non-system directories. EDR rules alerting on calc.exe execution from any path other than C:\Windows\System32 provide early detection of StrifeWater before it completes its reconnaissance and self-removes. This is a high-fidelity indicator — legitimate use of Windows Calculator always runs from System32.
  • Monitor for drvguard.exe and lic.dll creation: The DriveGuard loader and watchdog are characteristic Moses Staff artifacts. File integrity monitoring and EDR solutions should alert on creation of drvguard.exe and lic.dll, particularly in public user directories.
  • Monitor Exchange IIS logs for ProxyShell exploitation patterns: ProxyShell exploitation produces characteristic IIS log entries. SIEM detection rules for the specific URL patterns and user-agent strings associated with ProxyShell exploitation — available from multiple vendors — provide detection of the initial access event before any post-exploitation tooling is deployed.
  • Treat disk encryption without ransom note as a wiper incident from the outset: Incident response teams encountering disk encryption with no accompanying ransom demand, no payment channel, and no decryption offer should immediately classify the incident as a wiper attack and activate full system recovery procedures rather than initiating ransomware negotiation playbooks. Time spent pursuing non-existent negotiation channels delays backup restoration and extends the outage.
  • Monitor for PST file access and exfiltration from Exchange servers: The documented Moses Staff attack chain includes immediate exfiltration of Outlook Data Files (.PST) following web shell deployment on Exchange. DLP and network monitoring rules alerting on large PST file transfers — particularly from Exchange servers — provide detection of the data exfiltration phase before the destructive wiper stage begins.
analyst note — hacktivist persona as plausible deniability

Moses Staff's pro-Palestinian hacktivist framing is a deliberate Iranian state strategy. Iran has maintained a consistent model of creating hacktivist-presenting front personas to conduct offensive cyber operations against adversaries while preserving plausible deniability at the state level. SecureWorks' Rafe Pilling assessed this trend explicitly: "Iran has a history of using proxy groups and manufactured personas to target regional and international adversaries. Over the last couple of years an increasing number of criminal and hacktivist group personas have emerged to target perceived enemies of Iran while providing plausible deniability to the Government of Iran." The technical sophistication of Moses Staff's custom toolchain — StrifeWater's self-removal mechanism, the per-victim custom PyDCrypt build, the DCSrv wiper — significantly exceeds what independent hacktivist collectives produce, and aligns with the resources and tasking structure of a state intelligence service. The hacktivist persona should be treated as a cover story, not an accurate description of the operator.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile