G1009: Moses Staff
Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[1]
Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[2]
Analyst context for executives and security teams
Moses Staff matters because ATT&CK describes the group as politically motivated and damage-oriented: stealing sensitive data and encrypting networks without a ransom demand. That changes the business decision from “can we pay or negotiate?” to “can we contain, restore, prove what was accessed, and continue operations?” The related ATT&CK relationships point to public-facing application exploitation, web shells, discovery, SMB/admin-share lateral movement, tool transfer, remote access tooling, and destructive malware, so resilience depends on exposure management, identity controls, Windows lateral-movement visibility, and tested recovery.
Executive priority
Treat this as a readiness scenario for destructive intrusion and data leakage, not just ransomware. Leaders should ask whether Internet-facing systems are prioritized for vulnerability and misconfiguration remediation, whether incident response can rapidly determine data exposure, whether backups and restoration are protected from domain-level compromise, and whether SOC telemetry can follow movement from an exposed server to Windows administrative shares and host firewall changes. The sectors and geographies in the ATT&CK description are broad enough that prioritization should be based on local exposure, business criticality, and geopolitical relevance rather than assuming ransom-driven behavior.
Technical view
ATT&CK provides no official detection text for the group, so defenders should validate coverage through the related behaviors and software. Focus on initial access via exploited public-facing applications and possible web shells; post-compromise discovery of system, network, and local account information; ingress tool transfer; use of PsExec or SMB/Windows Admin Shares for lateral movement; Windows host firewall modification; suspicious code signing trust; and malware families/tools associated in the relationships: PyDCrypt, DCSrv, and StrifeWater. Detection engineering should correlate web-server anomalies, endpoint process activity, administrative share access, remote service execution, and file encryption or destructive behavior rather than relying on a single signature or group name.
Likely telemetry
- Internet-facing application, web server, and reverse proxy logs
- Web shell indicators such as unusual script creation, command execution, or abnormal web process child processes
- Endpoint process creation and command-line telemetry on Windows systems
- SMB, admin share, remote service, and PsExec-related activity
- Authentication logs for local and administrative account use
Detection direction
- Build detections around behavior chains: public-facing application anomaly or web shell followed by discovery, tool transfer, SMB/admin-share use, and destructive or encryption-like file activity.
- Tune PsExec and SMB/admin-share monitoring carefully because these are legitimate administration mechanisms; prioritize unusual source hosts, new administrative paths, rare accounts, off-hours use, and activity originating from web servers or non-admin workstations.
- Validate visibility for Windows host firewall changes, because firewall modification can reduce network-control effectiveness and may be missed if only perimeter logs are reviewed.
- Hunt for discovery commands and local account enumeration in context, especially when they occur shortly after suspicious web-server activity or remote-access tooling.
- Because ATT&CK provides no official detection guidance for this group, use the related techniques and software as hypotheses and test them against local telemetry, baseline administration patterns, and incident response playbooks.
Mitigation priorities
- Prioritize vulnerability and configuration management for Internet-facing applications and services, especially assets that can bridge into internal networks.
- Restrict and monitor administrative shares, PsExec-like remote execution, and local administrator use; enforce least privilege and segment critical systems where feasible.
- Harden web servers against unauthorized script placement and monitor for web shell persistence.
- Ensure backups, recovery processes, and destructive-attack response procedures are tested and protected from compromise.
- Collect and retain endpoint, authentication, web, and network telemetry long enough to reconstruct lateral movement and data-access scope.
Analyst notes and limits
The ATT&CK object identifies Moses Staff aliases as DEV-0500 and Marigold Sandstorm and cites reporting from Check Point, Cybereason, and Microsoft naming references. The most decision-relevant relationship context is the combination of damage-oriented objectives, remote access tooling, destructive malware, public-facing application exploitation, web shells, Windows lateral movement mechanisms, and host firewall modification. For Glexia-style assessment, this maps to executive resilience, exposure management, SOC correlation depth, and IR scoping readiness.
The group object has no official ATT&CK detection text, no group-level platforms or tactics specified, and the relationship descriptions are technique/software context rather than proof of local exposure. This summary does not assert current activity, customer targeting, or detection coverage. Local asset inventory, sector/geography relevance, Internet exposure, identity architecture, and telemetry quality are required to determine actual risk and coverage.
Moses Staff
Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[1]
Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Moses Staff has used batch scripts that can enable SMB on a compromised host.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Moses Staff has collected the domain name of a compromised network.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1087.001 | Local Account Sub-technique | Moses Staff has collected the administrator username from a compromised host.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1082 | System Information Discovery | Moses Staff collected information about the infected host, including the machine names and OS architecture.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1588.002 | Tool Sub-technique | Moses Staff has used the commercial tool DiskCryptor.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Moses Staff has dropped a web shell onto a compromised system.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1587.001 | Malware Sub-technique | Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Moses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Moses Staff has used obfuscated web shells in their operations.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Moses Staff has downloaded and installed web shells to following path |
| Enterprise | T1190 | Exploit Public-Facing Application | Moses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers.CitationCheckpoint MosesStaff Nov 2021 |
Groups, software, and campaigns
S1032: PyDCrypt
PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.[1]
S0029: PsExec
S1033: DCSrv
DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[1]
S1034: StrifeWater
StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their attacks since at least November 2021.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 6e50298fb1ca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Checkpoint MosesStaff Nov 2021
Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
Open source URL -
[2]
Cybereason StrifeWater Feb 2022
Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
Open source URL -
[3]
DEV-0500
(Citation: Microsoft Threat Actor Naming July 2023)
-
[4]
Marigold Sandstorm
(Citation: Microsoft Threat Actor Naming July 2023)
-
[5]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[6]
mitre-attack G1009Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.