Moses Staff - Threat Group Cards: A Threat Actor Encyclopedia Archived: 2026-04-05 17:36:25 UTC Other threat group: Moses Staff Names Moses Staff (self given) Abraham's Ax (self given) DEV-0500 (Microsoft) Cobalt Sapling (SecureWorks) Marigold Sandstorm (Microsoft) Vengeful Kitten (CrowdStrike) White Dev 95 (PWC) G1009 (MITRE) Country Iran Motivation Sabotage and destruction First seen 2021 Description (Check Point) In September 2021, the hacker group MosesStaff began targeting Israeli organizations, joining a wave of attacks which was started about a year ago by the Parisite, Fox Kitten, Pioneer Kitten and Agrius attack groups. Those actors operated mainly for political reasons in attempt to create noise in the media and damage the country’s image, demanding money and conducting lengthy and public negotiations with the victims. MosesStaff behaves differently. The group openly states that their motivation in attacking Israeli companies is to cause damage by leaking the stolen sensitive data and encrypting the victim’s networks, with no ransom demand. In the language of the attackers, their purpose is to “Fight against the resistance and expose the crimes of the Zionists in the occupied territories.” Observed Sectors: Energy, Financial, Government, Manufacturing, Transportation, Utilities. Countries: Chile, Germany, India, Israel, Italy, Turkey, UAE, USA. Tools used DCSrv, PyDCrypt, StrifeWater. Operations performed Nov 2022 Abraham's Ax Likely Linked to Moses Staff https://apt.etda.or.th/cgi-bin/showcard.cgi?u=71af54b8-3a64-42a0-9b8f-94d8fcb684a8 Page 1 of 2 Information MITRE ATT&CK Last change to this card: 16 August 2025 Download this actor card in PDF or JSON format Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=71af54b8-3a64-42a0-9b8f-94d8fcb684a8 https://apt.etda.or.th/cgi-bin/showcard.cgi?u=71af54b8-3a64-42a0-9b8f-94d8fcb684a8 Page 2 of 2