{ "id": "9543c922-ad44-4ef3-8c79-0c7a0fc9d186", "created_at": "2026-04-06T00:17:16.350267Z", "updated_at": "2026-04-10T13:11:53.268311Z", "deleted_at": null, "sha1_hash": "493fd0eca15c800bb8fa13cec0619cd64d5ece0e", "title": "A hack in hand is worth two in the bush", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43675, "plain_text": "A hack in hand is worth two in the bush\r\nBy GReAT\r\nPublished: 2023-10-16 · Archived: 2026-04-05 18:57:14 UTC\r\nThe ongoing conflict between Israel and Hamas has also extended into the digital domain. The involvement of\r\nhackers highlights the evolving nature of warfare in the 21st century, where traditional military operations are\r\ncomplemented by sophisticated cyber tactics, and where the boundaries between state-sponsored, hacktivist, and\r\nindependent actors blur.\r\nSo far, various cyber activities in the digital realm have been observed, including DDoS-attacks, information\r\nwarfare, and hacktivism campaigns. As the conflict continues, we anticipate potential wiper or ransomware\r\nmalware attacks in the future.\r\nOn October 8, a major hack on the Israeli Dorad private power station was announced on underground channels\r\nby the Cyber Av3ngers group. The group shared photos of the alleged hack with a logo that has the Palestinian\r\nflag colors and political messages, inferring the hack was in support. This claim was announced in parallel with\r\nanother one about targeting the Dorad website with a DoS-attack to add credibility to the hack: the attackers also\r\npresented evidence of their DDoS success. We analyzed the data published by Cyber Av3ngers and found it to be\r\nsourced from older leaks by another hacktivist group called Moses Staff.\r\nIt has been alleged that Moses Staff is an Iranian hacker group, first identified on underground forums in\r\nSeptember 2021. Their main activity is to damage Israeli companies by stealing and publishing sensitive data. The\r\ngroup also targets organizations from other countries like Italy, India, Germany, Chile, Turkey, UAE and the US.\r\nIt’s important to mention that no evidence was found linking the Cyber Av3ngers group and the Moses Staff\r\nactors.\r\nIntroduction on Cyber Av3ngers\r\nThere is a group with a similar name called “Cyber Avengers”, a threat actor that has been active since at least\r\n2020. There is little evidence connecting Cyber Avengers with Cyber Aveng3rs or Cyber Av3ngers. However, with\r\nthe current geopolitical conflict, they started to attract publicity to their activities and show support to the cause.\r\nThey mainly target Israeli organizations, mostly those responsible for operating the critical infrastructure of the\r\ncountry. In 2020, Cyber Avengers claimed responsibility for the power cut and railway infrastructure hack. Later\r\nthat year, the VP of the corresponding electrical company made a statement saying the power outage was not\r\ncaused by a cyber attack but a “technical fault”.\r\nOn September 15 2023, a new channel was created on Telegram messenger with the handle @CyberAveng3rs.\r\nThe channel started with messages that link its owners to the past activities done by “Cyber Avengers”, then\r\nadding information on their ideas to target Israeli critical infrastructure, including electrical and water systems.\r\nThe latest post on the channel was about a security guidance, which had been prepared for infrastructure security\r\nhttps://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/\r\nPage 1 of 3\n\nand published by the Israeli government. The Cyber Avengers group sent the guidance across the list of targets as\r\na mockery. The list contains eight companies with the eighth yet to be updated.\r\nAnalysis of the Cyber Av3ngers files\r\nThe original Moses Staff leak files from 2022 are not available anymore from the original links. However, the files\r\nstill can be found on other underground channels.\r\nFile Name POC-IPC.rar\r\nMD5 f9a34ac80a4f98b5491594a1eedc74e3\r\nSHA256 f3b4ee57c46839c2305f68962dff5cd5c3cab0e48d1fbf4f5f4d11f7258ea99b\r\nComments Archive file with leaked data from multiple organizations\r\nCreate Time/Date 14-Jun-22 11:59AM\r\nFile size 159,574 KB\r\nThe archive was first published by Moses Staff in June 2022, it included leaked data from multiple companies in\r\nIsrael. The files related to the Dorad private power station hack (11 files), had timestamps from August 2020, and\r\nthe compression timestamps point to June 14 2022. The data in the archive was in PDF documents in addition to\r\nPNG and JPEG photos. A video was also published by the attackers in parallel with the data leak.\r\nComparing the photos posted by Cyber Av3ngers and the originals from the Moses Staff archive, we were able to\r\nobserve the following:\r\nCyber Av3ngers took photos from the Moses Staff leaked PDF documents and video.\r\nCyber Av3ngers cropped the photos and added the logo image before publishing.\r\nThe comparison between the images from the Moses StaffJune 2022 leak and the images from the Cyber Av3ngers\r\nOctober 8 2023 alleged leak, can be found below.\r\nOverall, the leaked data seems to be the result of hacking operations by Moses Staff: the files seem to have been\r\nexfiltrated through the use of malware from computers belonging to the targeted organization, and this behavior\r\nhas been carried out by this threat actor using custom tools, such as PyDCrypt, DCSrv, and StrifeWater. PyDCrypt\r\nis a program written in Python and built with PyInstaller that is used to infect other computers on the network and\r\nensure that the main payload DCSrv is executed properly. DCSrv is a malicious process masquerading as the\r\nlegitimate “svchost.exe” process. DCSrv blocks all access to the computer and encrypts all its volumes using the\r\nlegitimate open-source encryption utility DiskCryptor. StrifeWater is a stealthy Remote Access Trojan (RAT) that\r\nis used in the initial stage of the attack to cover traces. In addition, it has the ability to execute remote commands\r\nand capture the screen.\r\nSince the Moses Staff group is not attempting financial gain, and its main objective is to cause damage, there is\r\nusually no way to pay the ransom and decrypt the data.\r\nConclusion\r\nhttps://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/\r\nPage 2 of 3\n\nBased on the information provided and its analysis, the Cyber Av3ngers alleged hack is recycled or repurposed\r\nfrom a prior security breach and is not the result of any new unauthorized access to data. Nevertheless, threat\r\nactors such as MosesStaff, targeting users and organizations, especially in critical infrastructure environments, are\r\nstill active.\r\nIt’s important to investigate such incidents thoroughly to understand the nature of the compromised data, how it\r\nwas obtained, and whether any security vulnerabilities were exploited. Additionally, it emphasizes the importance\r\nof maintaining strong cybersecurity measures to protect against both new and recurring threats to IT and OT\r\nsystems.\r\nIndicators of Compromise\r\nFile hashes\r\n48220a3a4c72317ae0fbb08e255b8350\r\n4cba27111c5fca7a1ae78566de2df5b3\r\na7704fbccaeb78678a5f94714993567c\r\naa579d5f062f02d9ff76910560bb312c\r\nf8c06e955718639ba9ffdd4265965593\r\nLeaks comparison data\r\nSource: https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/\r\nhttps://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/" ], "report_names": [ "110794" ], "threat_actors": [ { "id": "daf2219f-08f1-44ef-9245-9a062ceff7a4", "created_at": "2023-11-08T02:00:07.120507Z", "updated_at": "2026-04-10T02:00:03.419124Z", "deleted_at": null, "main_name": "Cyber Av3ngers", "aliases": [], "source_name": "MISPGALAXY:Cyber Av3ngers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "527e04ee-7f5f-49aa-8653-f893b43730bd", "created_at": "2022-10-25T16:07:24.512541Z", "updated_at": "2026-04-10T02:00:05.017592Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Abraham's Ax", "Cobalt Sapling", "DEV-0500", "G1009", "Marigold Sandstorm", "Vengeful Kitten", "White Dev 95" ], "source_name": "ETDA:Moses Staff", "tools": [ "DCSrv", "DCrSrv", "PyDCrypt", "StrifeWater", "StrifeWater RAT" ], "source_id": "ETDA", "reports": null }, { "id": "bef06c82-0f51-44ba-8451-049cd4ad8a52", "created_at": "2023-01-06T13:46:39.325635Z", "updated_at": "2026-04-10T02:00:03.288171Z", "deleted_at": null, "main_name": "MosesStaff", "aliases": [ "Moses Staff", "Marigold Sandstorm", "DEV-0500", "VENGEFUL KITTEN" ], "source_name": "MISPGALAXY:MosesStaff", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4d0e4e1-5ad3-4455-8291-ce72a1e09e46", "created_at": "2022-10-27T08:27:13.055675Z", "updated_at": "2026-04-10T02:00:05.323068Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Moses Staff", "DEV-0500", "Marigold Sandstorm" ], "source_name": "MITRE:Moses Staff", "tools": [ "PyDCrypt", "PsExec", "DCSrv", "StrifeWater" ], "source_id": "MITRE", "reports": null }, { "id": "6a5293c8-2a88-4a33-927a-4a0c946dc867", "created_at": "2025-08-07T02:03:24.778647Z", "updated_at": "2026-04-10T02:00:03.647413Z", "deleted_at": null, "main_name": "COBALT SAPLING", "aliases": [ "Abraham's Ax ", "DEV-0500", "Marigold Sandstorm ", "Moses Staff ", "Vengeful Kitten " ], "source_name": "Secureworks:COBALT SAPLING", "tools": [ "DCSrv", "PyDcrypt", "StrifeWater RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434636, "ts_updated_at": 1775826713, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/493fd0eca15c800bb8fa13cec0619cd64d5ece0e.pdf", "text": "https://archive.orkl.eu/493fd0eca15c800bb8fa13cec0619cd64d5ece0e.txt", "img": "https://archive.orkl.eu/493fd0eca15c800bb8fa13cec0619cd64d5ece0e.jpg" } }