{ "id": "22374b3a-1628-4361-b799-d8f65d1e9335", "created_at": "2026-04-06T00:16:25.4149Z", "updated_at": "2026-04-10T03:34:00.254286Z", "deleted_at": null, "sha1_hash": "b537cfbef49fe7ba0744a3a0d2786af8751f3a67", "title": "StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 248924, "plain_text": "StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to\r\nRansomware Operations\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 20:05:13 UTC\r\nOver the past months, the Cybereason Nocturnus Team has been tracking the Iranian hacker group known as\r\nMoses Staff. The group was first spotted in October 2021 and claims their motivation is to harm Israeli companies\r\nby leaking sensitive, stolen data. \r\nAside from Israel, which appears to be the main target of the group, Moses Staff was observed targeting\r\norganizations in other countries, including Italy, India, Germany, Chile, Turkey, UAE, and the US. The group\r\ntargets a variety of industries, among them Government, Finance, Travel, Energy, Manufacturing, and the Utilities\r\nindustry. \r\nFollowing recently published research detailing the group’s TTPs including their main tools “PyDcrypt” and\r\n“DCSrv”, the Cybereason Nocturnus team discovered a previously unidentified Remote Access Trojan (RAT) in\r\nthe Moses Staff arsenal dubbed StrifeWater.\r\nThe StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to\r\nremove itself from the system to cover the Iranian group’s tracks. The RAT possesses other capabilities, such as\r\ncommand execution and screen capturing, as well as the ability to download additional extensions. \r\nNormally, once the group infiltrates an organization and steals sensitive data, they deploy ransomware to encrypt\r\nthe infected machines. Unlike financially motivated cybercrime ransomware groups who encrypt the files as\r\nleverage for ransom payment, the encryption of the files in the Moses Staff attacks serves two purposes: inflicting\r\ndamages by disrupting critical business operations, and covering the attackers’ tracks.\r\nThe end goal for Moses Staff appears to be more politically-motivated rather than financial. Analysis of the\r\ngroup’s conduct and operations suggests that Moses Staff leverages cyber espionage and sabotage to advance\r\nIran’s geopolitical goals by inflicting damage and spreading fear. (Related Iranian APT research: PowerLess\r\nTrojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage).\r\nKey Findings\r\nNovel Remote Access Trojan: A newly undocumented RAT dubbed StrifeWater assessed to be part of the\r\narsenal used by Iranian APT Moses Staff. The RAT is assessed to be specifically used in the initial phase of\r\ninfection and is later replaced with other tools\r\nVarious Functionality: The StrifeWater RAT has various capabilities, among them: listing system files,\r\nexecuting system commands, taking screen captures, creating persistence, and downloading updates and\r\nauxiliary modules.\r\nhttps://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\r\nPage 1 of 10\n\nUnder the Radar: The StrifeWater RAT appears to be removed from the infected environment in time for\r\nthe deployment of the ransomware. This is likely the reason the RAT was not detected before.\r\nState-Sponsored Ransomware: Moses Staff employs ransomware post-exfiltration not for financial gain,\r\nbut to disrupt operations, obfuscate espionage activity, and to inflict damage to systems to advance Iran’s\r\ngeopolitical goals.\r\nVictims Across the Globe: The Moses Staff list of victims includes multiple countries and regions, among\r\nthem: Israel, Italy, India, Germany, Chile, Turkey, UAE, and the US.\r\nStrifeWater: A New Iranian RAT\r\nThe Cybereason Nocturnus Team has been tracking the activities of the Moses Staff threat group since their\r\noperations first became known in 2021. While monitoring the group’s activity, Cybereason researchers discovered\r\nan undocumented RAT dubbed StrifeWater that is used by Moses Staff in the initial stage of the attack. It was\r\nobserved that the StrifeWater RAT was deployed in infected environments under the name “calc.exe”. One of the\r\nkey clues that led to the discovery of the StrifeWater RAT came from an analysis of a new variant of the PyDCrypt\r\nmalware used by the Moses Staff group. \r\nZeroing-in on the Moses Staff PyDCrypt Malware\r\nThe Nocturnus Team found a new sample of the PyDCrypt malware, which was described in Checkpoint’s blog\r\npublished in November 2021. PyDCrypt is written in python and compiled using PyInstaller. Its goal is to spread\r\nto other computers and to drop the payload “DCSrv”, a ransomware variant based on the publicly available tool\r\nDiskCryptor. \r\nAccording to previous observations, the Moses Staff group builds a new sample of PyDCrypt for each targeted\r\norganization with hard coded parameters such as an admin username and password, a machines list, and a local\r\ndomain. The inclusion of this hard coded information means PyDCrypt is only deployed in a late stage of the\r\nattack after the environment is already compromised and sufficient reconnaissance efforts to map out the target’s\r\nenvironment have already taken place. \r\nThe newly discovered PyDCrypt variant had one significant change to it: instead of the ransomware payload, the\r\nscript contains what appears to be a test executable embedded which merely prints “Hello” upon execution. This\r\ncould indicate that this variant is still in the development and testing phase. \r\nMoses Staff often uses the folder “C:\\Users\\Public” to store its deployed tools. As part of its execution, PyDCrypt\r\ncopies the original Windows calculator binary (calc.exe) from system32 to the folder where the rest of the\r\npayloads are saved (C:\\Users\\Public\\calc.exe) and then deletes it:\r\nFrom PyDCrypt source code: Removing a file named “calc.exe”\r\nhttps://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\r\nPage 2 of 10\n\nWe suspect that PyDCrypt’s removal of “calc.exe” from the infected machine is an attempt to remove evidence of\r\nthe StrifeWater RAT, which is also named “calc.exe” by the attackers. We estimate that the replacement of the\r\nStrifeWater RAT with the original Windows Calculator binary and its immediate deletion, was done in an attempt\r\nto cover the attackers’ tracks and thwart forensic analysis efforts. \r\nDue to the fact that PyDCrypt is a late stage attack tool that is deployed after reconnaissance was undertaken,\r\nMoses Staff must have a foothold of the infected environments before its deployment. Based on our analysis of\r\nthe StrifeWater RAT, we suspect that it is used by the attackers to gain a foothold and to conduct initial\r\nreconnaissance on the compromised target. \r\nStrifeWater AnalysisStrifeWater is a previously undocumented RAT that is suspected to be used in the initial\r\nstages of the Moses Staff infection chain in order to achieve persistence and gain control over the network,\r\nappearing as the file “calc.exe”:\r\nStrifeWater execution as seen in the\r\nCybereason XDR Platform\r\nThe main capabilities of StrifeWater include:\r\nListing system files\r\nExecuting shell commands using cmd.exe\r\nTaking screen captures\r\nCreating persistence via a scheduled task \r\nDownloading updates and auxiliary modules\r\nIn addition, the RAT can extend its capabilities by downloading several module extensions, although the\r\nfunctionality of these modules is not known at the time of writing. \r\nThe RAT has the following PDB string: “C:\\Users\\win8\\Desktop\\ishdar_win8\\1\\x64\\Release\\brokerhost.pdb”\r\nIt uses a hard coded IP address and URI to communicate with its command and control (C2) server\r\n(87.120.8[.]210:80/RVP/index8.php):\r\nStrifeWater Command and Control as seen in the Cybereason XDR Platform\r\nhttps://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\r\nPage 3 of 10\n\nAlthough the malware always uses the same IP address and URL, it also contains a domain and an additional URL\r\nthat have yet been observed in use: \r\ntechzenspace[.]com\r\nRVP/index3.php\r\nHardcoded domain, IP, and URI\r\nAt the beginning of execution, the StrifeWater RAT collects profiling data about the infected machine in order to\r\ncreate a unique token for that device. The data used to create the token are:\r\nMachine name\r\nUser name\r\nOS version\r\nArchitecture\r\nTime zone\r\nUser privileges\r\nhttps://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\r\nPage 4 of 10\n\nInfected machine profiling data string\r\nThe string displayed in the image above is then XORed with a hard coded key and combined with an additional\r\nhard coded string in order to create the token:\r\nUnique token sent to the C2\r\nThe same key (“9c4arSBr32g6IOni”) is used to encrypt all commands that are sent and received from the C2.\r\nStrifeWater RAT Key Commands\r\nThe StrifeWater RAT receives various commands from the C2, including:\r\nListing system files\r\nGoing through Windows folders function\r\nExecuting shell commands using cmd.exe\r\nExecuting cmd.exe function\r\nTaking screen captures\r\nhttps://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\r\nPage 5 of 10\n\nTaking screen captures function\r\nPersistence\r\nThe RAT will create persistence using a scheduled task named: ”Mozilla\\Firefox Default Browser Agent\r\n409046Z0FF4A39CB”\r\nCreating a scheduled task for persistence\r\nDownload an updated version of the RAT\r\nSelf deletion\r\nDownload files to the infected machine\r\nUpdating the sleep time responses of the malware (the default is 20 - 22 seconds)\r\nAuxiliary Modules\r\nThe StrifeWater RAT has the capability to download different modules based on the command received, although\r\nthe functionality of these other modules are not known at the time of writing this report. The available extensions\r\nare named:\r\nmainfunc\r\nAh13\r\nmkb64\r\nstrt\r\nhttps://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\r\nPage 6 of 10\n\nDownloading and loading the auxiliary module “mainfunc”\r\nIn case the command to download the extension “strt” is received and the extension is already loaded, the RAT\r\nwill send to the C2 the contents of a file named: “C:\\users\\public\\libraries\\async.dat”\r\nThis file probably contains data that is related to the functionality of the extension “strt”.\r\nC2 Communication Parameters \r\nThe StrifeWater RAT appears to distinguish between the type of data that is being sent to the C2 by the parameter\r\n“name” that is being sent in the packet to the C2. The parameter can be any value between “name0” to “name12”:\r\nC2 communication with parameter “name0”\r\nC2 communication with parameter “name2”\r\nC2 communication with parameter “name3”\r\nMeaning of the different “name parameters”:\r\nParameter Data Sent\r\nname0 signal that a command is executing\r\nname1 first communication with the C2\r\nname2 sending a list of system files\r\nname3 cmd shell command output\r\nhttps://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\r\nPage 7 of 10\n\nname4 sending a screen capture\r\nname5 confirmation that a file has been downloaded\r\nname6 sending the output of the extension “mainfunc”\r\nname7 sending the “async.dat” file\r\nname8 unknown\r\nname9 request to download a file (update/extension)\r\nname10 confirmation that the sleep time was updated successfully\r\nname11 sending the output of the \"mkb64\" extension\r\nname12 unknown\r\nName parameters table\r\nConclusion\r\nIn this report, the Cybereason Nocturnus Team analyzed a previously unknown RAT dubbed StrifeWater that is\r\nbeing used in targeted ransomware attacks, carried out by the Iranian APT group Moses Staff. The StrifeWater\r\nRAT is suspected to be one of the main tools that are used to create a foothold in victim environments, and appears\r\nto only be used in the earlier stages of the attack. \r\nOur analysis suggests that the Moses Staff operators make conscious efforts to stay under the radar and avoid\r\ndetection until the last phase of the attack when they deploy and execute their ransomware payload. Furthermore,\r\nour research shows that the Moses Staff modus operandi includes attempts to masquerade its arsenal as legitimate\r\nWindows software along with the removal of their initial persistence and reconnaissance tools. This tactic helps to\r\nprevent investigators from discovering the full flow of the attack and thus the StrifeWater RAT remained\r\nundetected.\r\nhttps://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\r\nPage 8 of 10\n\nMoses Staff’s goals seem aligned with Iran’s cyber warfare doctrine, seeking to sabotage government, military,\r\nand civilian organizations related to its geo-political opponents. Unlike criminal cybercrime groups that use\r\nransomware to coerce their victims to pay a ransom fee, it is assessed that the Moses Staff group will leak\r\nsensitive information without demanding a ransom fee, and it was previously assessed that their goals are political\r\nin nature. \r\nThe emergence of new PyDyrcypt malware samples, further shows that the Iranian APT group Moses Staff is still\r\nactive and continues its nefarious activities and development of its attack arsenal. \r\nThe Cybereason XDR Platform detects and blocks the StrifeWater RAT and other advanced TTPs used in this\r\noperation. Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to\r\neverywhere the battle is taking place.\r\nMITRE ATT\u0026CK BREAKDOWN\r\nReconnaissance Execution Persistence Defense Evasion\r\nGather Victim Host Information\r\nCommand-line\r\ninterface\r\nScheduled\r\nTask/Job\r\nIndicator Removal on\r\nHost\r\nGather Victim Identity\r\nInformation\r\n    Masquerading\r\nAbout the Researcher\r\nTOM FAKTERMAN\r\nTom Fakterman, Cyber Security Analyst with the Cybereason Nocturnus Research Team, specializes in protecting\r\ncritical networks and incident response. Tom has experience in researching malware, computer forensics and\r\ndeveloping scripts and tools for automated cyber investigations.\r\nhttps://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\r\nPage 9 of 10\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\r\nhttps://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" ], "report_names": [ "strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "527e04ee-7f5f-49aa-8653-f893b43730bd", "created_at": "2022-10-25T16:07:24.512541Z", "updated_at": "2026-04-10T02:00:05.017592Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Abraham's Ax", "Cobalt Sapling", "DEV-0500", "G1009", "Marigold Sandstorm", "Vengeful Kitten", "White Dev 95" ], "source_name": "ETDA:Moses Staff", "tools": [ "DCSrv", "DCrSrv", "PyDCrypt", "StrifeWater", "StrifeWater RAT" ], "source_id": "ETDA", "reports": null }, { "id": "bef06c82-0f51-44ba-8451-049cd4ad8a52", "created_at": "2023-01-06T13:46:39.325635Z", "updated_at": "2026-04-10T02:00:03.288171Z", "deleted_at": null, "main_name": "MosesStaff", "aliases": [ "Moses Staff", "Marigold Sandstorm", "DEV-0500", "VENGEFUL KITTEN" ], "source_name": "MISPGALAXY:MosesStaff", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "c4d0e4e1-5ad3-4455-8291-ce72a1e09e46", "created_at": "2022-10-27T08:27:13.055675Z", "updated_at": "2026-04-10T02:00:05.323068Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Moses Staff", "DEV-0500", "Marigold Sandstorm" ], "source_name": "MITRE:Moses Staff", "tools": [ "PyDCrypt", "PsExec", "DCSrv", "StrifeWater" ], "source_id": "MITRE", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "6a5293c8-2a88-4a33-927a-4a0c946dc867", "created_at": "2025-08-07T02:03:24.778647Z", "updated_at": "2026-04-10T02:00:03.647413Z", "deleted_at": null, "main_name": "COBALT SAPLING", "aliases": [ "Abraham's Ax ", "DEV-0500", "Marigold Sandstorm ", "Moses Staff ", "Vengeful Kitten " ], "source_name": "Secureworks:COBALT SAPLING", "tools": [ "DCSrv", "PyDcrypt", "StrifeWater RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434585, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b537cfbef49fe7ba0744a3a0d2786af8751f3a67.pdf", "text": "https://archive.orkl.eu/b537cfbef49fe7ba0744a3a0d2786af8751f3a67.txt", "img": "https://archive.orkl.eu/b537cfbef49fe7ba0744a3a0d2786af8751f3a67.jpg" } }