S1032: PyDCrypt
PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.[1]
Analyst context for executives and security teams
PyDCrypt is a Windows malware entry in ATT&CK described as Python-based malware designed to deliver DCSrv, with samples reportedly tailored to intended victim organizations. Its business significance is less about a generic commodity tool and more about readiness for a targeted intrusion chain: script execution, discovery, obfuscation, firewall tampering, and cleanup behaviors can reduce visibility before responders understand scope.
Executive priority
Treat PyDCrypt as a validation point for Windows endpoint visibility and incident response readiness around targeted malware delivery. Leaders should ask whether security teams can reconstruct Python, PowerShell, cmd, and WMI activity; prove whether host firewall changes occurred; and retain enough endpoint evidence after file deletion or obfuscation. Because the related group context includes data leakage and network encryption without ransom demand, resilience planning should emphasize rapid containment, evidence preservation, and business continuity rather than assuming a financially motivated ransomware negotiation path.
Technical view
ATT&CK lists PyDCrypt as Windows malware written in Python to deliver DCSrv, and relationships map it to execution via Python, PowerShell, Windows Command Shell, and WMI; discovery of users and network connections; encrypted/encoded files; deobfuscation; file deletion; legitimate-looking resource naming/location; and firewall modification. SOC and IR teams should validate detection coverage across these behaviors as a chain, not as isolated alerts. There is no official ATT&CK detection text for this software, so local detection engineering should be based on the related techniques, Windows host telemetry, and the Check Point reference rather than assuming a known signature will be sufficient.
Likely telemetry
- Windows endpoint process creation telemetry for python.exe or Python-compiled executables, powershell.exe, cmd.exe, and WMI-related execution
- Command-line arguments and parent-child process relationships showing script execution, discovery commands, decoding/deobfuscation, or payload launch behavior
- WMI activity logs and Windows event data related to local or remote command execution
- File creation, rename, deletion, and unusual path/name activity, especially where files appear to mimic legitimate resources
- Host firewall configuration change logs, service state changes, and rule modifications
Detection direction
- Build detections around correlated behavior: Python or script execution followed by discovery, decoding, file cleanup, firewall modification, or delivery of another payload is more meaningful than any single command interpreter event.
- Tune PowerShell, cmd, WMI, and Python monitoring to reduce false positives from legitimate administration, software deployment, and developer activity by using asset role, user role, signed/known scripts, change windows, and command-line context.
- Validate that file deletion and obfuscation do not erase the only available evidence; ensure EDR, centralized logs, and forensic retention can preserve process and file metadata even when files are removed.
- Review host firewall change monitoring as a control point for defense impairment, especially changes made outside approved administration channels.
- Use the Moses Staff and DCSrv relationship context for threat hunting and prioritization, but do not treat it as proof of attribution in a local incident without supporting evidence.
Mitigation priorities
- Prioritize centralized Windows endpoint logging for process, script, WMI, file, firewall, and network-connection activity before relying on point detections.
- Restrict and monitor script interpreter use, including Python, PowerShell, and cmd, according to business need and administrative role.
- Harden WMI and administrative execution paths with least privilege, auditing, and change-control expectations.
- Protect host firewall policy with administrative controls and alerting on unauthorized rule or service changes.
- Maintain incident response playbooks for targeted malware delivery that include rapid host isolation, evidence preservation, payload triage, and scoping for follow-on malware such as DCSrv.
Analyst notes and limits
The most useful defensive reading of this object is as a malware delivery and visibility challenge on Windows. PyDCrypt’s relationship set points to a practical hunt package: script execution, WMI, discovery, obfuscation/deobfuscation, cleanup, and firewall modification. The supplied relationship for masquerading by legitimate resource name/location has platform metadata that does not include Windows, while the malware platform is Windows; treat that as relationship context requiring local validation rather than a standalone Windows coverage claim.
The supplied ATT&CK object has no official detection text, no aliases, no tactics on the malware object itself, and only one external research citation. This take does not claim current activity, customer exposure, guaranteed detection, or attribution in any environment. Local telemetry, malware samples, and incident evidence are required to determine whether PyDCrypt or related behaviors are present.
PyDCrypt
PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.006 | Python Sub-technique | PyDCrypt, along with its functions, is written in Python.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | PyDCrypt has used `cmd.exe` for execution.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1686 | Disable or Modify System Firewall | PyDCrypt has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using `netsh.exe` on remote machines.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1049 | System Network Connections Discovery | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the --key flag during the build phase.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | PyDCrypt has attempted to execute with PowerShell.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | PyDCrypt has attempted to execute with WMIC.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1033 | System Owner/User Discovery | PyDCrypt has probed victim machines with |
| Enterprise | T1070.004 | File Deletion Sub-technique | PyDCrypt will remove all created artifacts such as dropped executables.CitationCheckpoint MosesStaff Nov 2021 |
Groups, software, and campaigns
G1009: Moses Staff
Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[1]
Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | ad4dfe770c6d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Checkpoint MosesStaff Nov 2021
Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
Open source URL -
[2]
mitre-attack S1032Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.