Skip to content
Ransomware group

Moses Staff

Moses Staff is an alleged Iranian threat actor, also tracked as DEV-0500, DEV-500, Marigold Sandstorm, MosesStaff, and Vengeful Kitten.

Profile source: Mallory opens in a new tab

Moses Staff

Family profile

Moses Staff is an alleged Iranian threat actor, also tracked as DEV-0500, DEV-500, Marigold Sandstorm, MosesStaff, and Vengeful Kitten. The content states the group was first identified on underground forums in September 2021 and primarily targets Israeli companies by stealing and publishing sensitive data, with additional targeting reported in Italy, India, Germany, Chile, Turkey, the UAE, and the United States. One cited assessment says the group’s main activity is to damage Israeli companies by stealing and publishing sensitive data. Another cited report states leaked internal operational records confirmed direct infrastructure and administrative overlap between Moses Staff and CyberAv3ngers, formally connecting previously separate Iranian cyber personas into a single coordinated effort directed by the Iranian state.

The group is associated with destructive and disruptive activity rather than financial gain. The content states Moses Staff typically does not pursue financial gain and usually provides no practical way for victims to pay a ransom and decrypt data. Reported tooling includes the legitimate commercial/open-source tool DiskCryptor, including signed drivers from DiskCryptor to evade detection; custom tools PyDCrypt, DCSrv, and StrifeWater; and obfuscated web shells. PyDCrypt is described as a Python program built with PyInstaller that spreads within a network and ensures execution of DCSrv. DCSrv masquerades as svchost.exe, blocks access to the computer, and encrypts volumes using DiskCryptor. StrifeWater is described as a stealthy RAT used early in attacks to cover traces, execute remote commands, and capture the screen.

Observed behaviors in the content include collecting the compromised network’s domain name and infected host information such as machine names and OS architecture. ATT&CK-style mappings in the content associate Moses Staff with T1190 Exploit Public-Facing Application for initial access, T1505.003 Web Shell and T1505.004 IIS Components for persistence, T1059 Command and Scripting Interpreter for execution, and T1608.001/T1608.002 Upload Malware/Upload Tool for resource development. The content also explicitly notes use of obfuscated web shells in operations.

Ransomware.live

Operational record

View group record ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.