Moses Staff

Also known as: Abraham's Ax, abrahams-ax, Abrahams_Ax, DEV-0500, DEV-500, Marigold Sandstorm, Moses Staff, Mosesstaff, MosesStaff, Vengeful Kitten, VENGEFUL KITTEN, تبر ابراهیم

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim’s networks without a ransom demand. Checkpoint MosesStaff Nov 2021

Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US. Cybereason StrifeWater Feb 2022

🌍 Country Iran
📅 Activity 2022 — 2022
🧭 ATT&CK G1009
2022
2022

Introduction

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim’s networks without a ransom demand. Checkpoint MosesStaff Nov 2021 Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US. Cybereason StrifeWater Feb 2022

Activities and Tactics

Country of Origin: 🇮🇷 Iran

First Seen: 2022

Last Activity: 2022

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

ATT&CK technique IDs (denormalized)

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

  • CyberGate:
  • Cyber Eye RAT:
  • Archelaus Beta:

MITRE ATT&CK Software

Attribution and Evidence

Country of Origin: Iran Additional attribution information pending cataloguing.

References

[1] mitre-attack [4] Checkpoint MosesStaff Nov 2021 Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. [5] Cybereason StrifeWater Feb 2022 Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. [6] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.