>samit_hota
Back to adversary profiles
G1009HighActive

Moses Staff (G1009) Threat Actor Profile

Samit Hota·
Suspected Origin
Iran
Motivation
Political, Sabotage, Destruction, Data Exfiltration
Aliases
DEV-0500, Marigold Sandstorm
Target Sectors
Government, Finance, Travel, Energy, Manufacturing, Utilities, Defense, Critical Infrastructure
Associated Malware
PyDCrypt, DCSrv, StrifeWater RAT, Vatet Loader, custom backdoors, web shells
#threat-actor#g1009

Overview

Moses Staff (G1009), operating under aliases such as DEV-0500 and Marigold Sandstorm, is a suspected Iranian threat group that emerged in at least September 2021. This actor is primarily driven by political motivations, openly stating their goal to cause damage to targeted entities by leaking sensitive stolen data and encrypting networks without demanding a ransom. Instead of financial gain, their operations are geared towards disruption, obfuscation of espionage activities, and inflicting damage to advance Iran’s geopolitical objectives.

While their primary focus has been Israeli organizations, Moses Staff has broadened its targeting scope to include government, finance, travel, energy, manufacturing, and utility companies in various countries outside of Israel, such as Italy, India, Germany, Chile, Turkey, the UAE, and the US. This expansion highlights a strategic intent to impact a wider range of critical sectors and regions. The group has been observed to adopt new tools and techniques rapidly, indicating an evolving and adaptive threat. Some researchers also associate Moses Staff with Cobalt Sapling, another Iranian-linked threat actor known for anti-Israel sentiment and data extortion.

Tactics & Techniques

Moses Staff employs a combination of custom malware and legitimate or open-source tools to execute their operations. Their initial access often involves exploiting known vulnerabilities in public-facing applications, notably Microsoft Exchange Servers and VPNs. ProxyShell vulnerabilities (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523) have been specifically identified as entry points.

Once inside a network, Moses Staff focuses on lateral movement and privilege escalation. They utilize tools like PsExec, WMIC, and PowerShell scripts to spread across the network. Their activities include collecting administrator usernames and information about infected hosts, such as machine names and operating system architecture. They are known to deploy backdoors and web shells, including obfuscated variants, to maintain persistence and facilitate further malicious activities. These web shells are often downloaded to paths like C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx.

A key characteristic of Moses Staff’s operations is their multi-phased approach:

  1. Initial Access: Exploiting public-facing applications.
  2. Lateral Movement & Persistence: Using tools like PsExec, WMIC, PowerShell, and deploying backdoors/web shells.
  3. Data Exfiltration: Stealing sensitive data before encryption.
  4. Impact: Encrypting systems using destructive ransomware without a ransom demand, aimed at maximizing operational disruption and obscuring their tracks. They have also been observed using batch scripts to disable Windows firewalls and enable SMB on compromised hosts.

Notable Campaigns

Moses Staff began its operations around September 2021, primarily targeting Israeli organizations. Their initial activities were noted for their distinct approach compared to other financially motivated ransomware groups, as Moses Staff explicitly focused on damage and public shaming rather than monetary gain.

A notable aspect of their campaigns is the public leaking of stolen data, often accompanied by messages on platforms like Twitter and Telegram, aiming to further embarrass and inflict psychological damage on victims. They customize their malware for each targeted organization, embedding specific parameters like usernames, passwords, local domain addresses, and machine lists into samples like PyDCrypt.

The group has been linked to the broader trend of Iranian threat actors increasing the pace and scope of cyberattacks, particularly since September 2021, often in response to perceived cyberattacks against Iran. While Moses Staff focuses on destructive attacks, other Iranian groups, like Mint Sandstorm (formerly Phosphorus), have also been observed shifting towards targeting critical infrastructure.

Associated Malware & Tools

Moses Staff utilizes a distinct set of custom malware and leverages readily available tools for their operations:

  • PyDCrypt: This is a custom malware written in Python and compiled with PyInstaller. It is designed for lateral propagation and to drop the main encryption payload. Moses Staff often creates a unique PyDCrypt sample for each victim, which can be found in C:\Users\Public\csrss.exe.
  • DCSrv: This is the ransomware variant deployed by PyDCrypt. It is based on the open-source disk encryption tool DiskCryptor. Its purpose is to encrypt data, serving as a destructive wiper rather than a typical ransomware demanding payment. Moses Staff has also used signed drivers from DiskCryptor to evade detection.
  • StrifeWater RAT: Discovered by Cybereason, StrifeWater is a Remote Access Trojan (RAT) identified in Moses Staff’s arsenal. It appears to be used in the initial stages of an attack to establish a foothold and can execute commands, capture screenshots, and download additional modules. It is designed for stealth, with the ability to remove itself from systems to cover the group’s tracks.
  • Vatet Loader: This third-party framework has been employed by Moses Staff to gain access to networks.
  • Metasploit & Cobalt Strike: These commercial or open-source penetration testing tools are used by Moses Staff for various purposes, including gaining access and lateral movement within compromised networks.
  • Custom Backdoors and Web Shells: The group routinely deploys these to maintain persistent access and facilitate further activities within victim environments. These often provide RAT-like functionalities.
  • PsExec, WMIC, PowerShell: These legitimate Windows utilities are heavily leveraged for lateral movement, command execution, and network reconnaissance.

Current Status

Moses Staff remains an active and evolving threat, consistently identified in recent cybersecurity reporting. Their last observed activity from July 2026 confirms their ongoing operational status. The group continues to adapt its TTPs, showing a clear shift towards more aggressive and destructive attacks, including the increasing use of wiper malware. The sophistication of Iranian-linked cyber operations, including groups like Moses Staff, is growing, with a rapid incorporation of new tools and techniques.

The group’s focus on political objectives and destructive outcomes, rather than financial gain, ensures their continued relevance in the geopolitical landscape, particularly concerning conflicts and tensions in the Middle East. Security professionals should anticipate their continued targeting of critical sectors globally, with an emphasis on disruptive actions and data exfiltration for public exposure.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call