S1033: DCSrv
DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[1]
Analyst context for executives and security teams
DCSrv matters because it is described as destructive Windows malware with ransomware-like encryption behavior but no ransom or decryption path. For leaders, the key risk is not payment negotiation; it is operational disruption and potential permanent loss of availability if recovery, containment, and service restoration are not ready.
Executive priority
Prioritize DCSrv as an operational resilience and incident-response readiness scenario. The supplied ATT&CK relationships connect it to data encryption for impact, shutdown/reboot activity, Windows service persistence, registry modification, masqueraded tasks or services, native API use, and file encoding/obfuscation. Executives should ask whether critical Windows systems have recoverable backups, whether SOC teams can quickly identify suspicious service and registry changes, and whether IR plans assume destructive encryption where a decryption key may not be offered.
Technical view
DCSrv is a Windows malware object associated by ATT&CK with Moses Staff and with techniques including Encrypted/Encoded File, Masquerade Task or Service, Native API, Modify Registry, System Time Discovery, Data Encrypted for Impact, System Shutdown/Reboot, and Windows Service. Because MITRE provides no dedicated detection text for this object, defenders should validate coverage through the related behaviors: unexpected Windows service creation or modification, service names or task names that imitate legitimate entries, suspicious registry changes supporting execution or persistence, file encryption activity at scale, abnormal shutdown or reboot commands, and obfuscated or encoded malware artifacts. Detection should be tested against local administrative baselines to avoid confusing legitimate software deployment, service management, or maintenance activity with malicious behavior.
Likely telemetry
- Windows service creation, modification, and configuration change logs
- Windows Registry modification telemetry, especially keys related to services, persistence, and execution
- Endpoint process execution and parent-child process telemetry
- File creation, rename, write, and encryption-pattern telemetry on local and shared storage
- Shutdown and reboot event logs or command execution records
Detection direction
- Build detections around behavior chains rather than the malware name alone, since no official ATT&CK detection guidance is provided for DCSrv.
- Tune for suspicious Windows service creation or modification, especially when service names, display names, or descriptions resemble legitimate services but execute unusual binaries or paths.
- Correlate registry modifications with new services, process execution, and subsequent file encryption or reboot activity.
- Watch for rapid file modification or encryption-like behavior across many files or systems, particularly when followed by shutdown or reboot events.
- Account for false positives from patching tools, endpoint management platforms, backup agents, and legitimate service installers.
Mitigation priorities
- Confirm offline, immutable, or otherwise resilient backups for critical Windows systems and test restore procedures.
- Harden and monitor permissions that allow service creation, service modification, and sensitive registry changes.
- Limit administrative privileges and review accounts capable of managing Windows services across the environment.
- Ensure incident response playbooks cover destructive malware where ransom negotiation or decryption is not a viable recovery assumption.
- Segment critical systems and shared storage to reduce the blast radius of encryption activity.
Analyst notes and limits
The business relevance comes from the destructive profile and the ATT&CK relationships to impact, persistence, defense evasion, discovery, and execution behaviors. The relationship context identifies Moses Staff as using DCSrv and describes the group as causing damage through leaking data and encrypting victim networks without a ransom demand; this take does not infer current activity or customer exposure.
MITRE provides no official detection text, no aliases, and no malware-specific tactics for DCSrv in the supplied object. Technical guidance is therefore derived from the official description, Windows platform field, external reference, and listed ATT&CK relationships. Local environment baselines, logs, and recovery architecture are required to determine actual risk and detection coverage.
DCSrv
DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | DCSrv has masqueraded its service as a legitimate svchost.exe process.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1543.003 | Windows Service Sub-technique | DCSrv has created new services for persistence by modifying the Registry.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1529 | System Shutdown/Reboot | DCSrv has a function to sleep for two hours before rebooting the system.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1112 | Modify Registry | DCSrv has created Registry keys for persistence.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | DCSrv's configuration is encrypted.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1124 | System Time Discovery | DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1486 | Data Encrypted for Impact | DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.CitationCheckpoint MosesStaff Nov 2021 |
| Enterprise | T1106 | Native API | DCSrv has used various Windows API functions, including `DeviceIoControl`, as part of its encryption process.CitationCheckpoint MosesStaff Nov 2021 |
Groups, software, and campaigns
G1009: Moses Staff
Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[1]
Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b7f3ca81f999… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Checkpoint MosesStaff Nov 2021
Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
Open source URL -
[2]
mitre-attack S1033Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.