{ "id": "caffb3f7-96b4-4d73-8438-44db86d6314b", "created_at": "2026-04-06T00:10:55.543204Z", "updated_at": "2026-04-10T13:12:55.788155Z", "deleted_at": null, "sha1_hash": "d70bd166a950e8851f1496a523bea5ae1d5ce975", "title": "Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 619013, "plain_text": "Guard Your Drive from DriveGuard: Moses Staff Campaigns\r\nAgainst Israeli Organizations Span Several Months | FortiGuard\r\nLabs\r\nBy Rotem Sde-Or\r\nPublished: 2022-02-15 · Archived: 2026-04-05 16:05:18 UTC\r\nOver the past year, FortiEDR has prevented multiple attacks that attempted to exploit various Microsoft Exchange\r\nserver vulnerabilities, some of which we have previously covered.\r\nAmong these attacks, we identified a campaign operated by Moses Staff, a geo-political motivated threat group\r\nbelieved to be sponsored by the Iranian government. After tracking this campaign for the last several months we\r\nfound that the group has been using a custom multi-component toolset for the purpose of conducting espionage\r\nagainst its victims.\r\nThis campaign exclusively targets Israeli organizations. Close examination reveals that the group has been active\r\nfor over a year, much earlier than the group’s first official public exposure, managing to stay under the radar with\r\nan extremely low detection rate.\r\nIn this blog, we will cover the Techniques, Tactics, and Procedures (TTPs) used by Moses Staff and reveal a new\r\nbackdoor used by them to download files, execute payloads, and exfiltrate data from target networks, along with\r\nthreat intelligence data on their activities.\r\nAffected Platforms: Windows\r\nImpacted Users: Windows Users\r\nImpact: Data theft and execution of additional malicious payloads\r\nSeverity Level: Critical\r\nInfection Vector\r\nThe initial infiltration was accomplished by leveraging the ProxyShell exploit in Microsoft Exchange servers to\r\nallow an unauthenticated attacker to execute arbitrary commands on them through an exposed HTTP\\S port. As a\r\nresult, the attackers were able to deploy two web shells:\r\nC:/inetpub/wwwroot/aspnet_client/system_web/iispool.aspx\r\nC:/inetpub/wwwroot/aspnet_client/system_web/map.aspx\r\nThese two web shells are used in conjunction with one another, and some of their functionalities overlap. On\r\nnumerous occasions, map.aspx was used to validate the results of the commands executed by iispool.aspx.\r\nPost infection, the attackers dedicated several days to the exfiltration of PST files and other sensitive data from the\r\ncompromised server. Next, they attempted to steal credentials by creating a memory dump of lsass.exe using a\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 1 of 16\n\nLOLBin. Finally, the attackers dropped and installed the backdoor components.\r\nFigure 1: Command line for dumping memory for lsass.exe\r\nExecution Chain\r\nThe loader resides in C:\\Windows\\System32\\drvguard.exe. When executed with the “-I” command-line argument,\r\nit installs itself as a service named DriveGuard.\r\nFigure 2: DriveGuard service properties\r\nThe loader is responsible for executing the backdoor component and then monitoring its process, executing it\r\nwhenever it has stopped. In addition, it launches a watchdog mechanism that ensures its own service is never\r\nstopped. The following flow chart illustrates the described process:\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 2 of 16\n\nFigure 3: Loading mechanism flow\r\nIf the backdoor does not exist on the disk, the loader creates it by reading the content of\r\nC:\\Windows\\System32\\rsc.dat and restoring its DOS header magic value to 4D 5A 90. The valid executable is\r\nwritten to disk at C:\\Windows\\System32\\broker.exe\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 3 of 16\n\nFigure 4: rsc.dat – the backdoor without magic bytes in the header\r\nThe next step is to execute the backdoor. When doing so, the loader attempts to spoof the backdoor’s parent\r\nprocess to be svchost.exe. This is achieved via calling CreateProcess and setting the parent process attribute\r\n(PROC_THREAD_ATTRIBUTE_PARENT_PROCESS) to the first svchost.exe process found in the system.\r\nParent process spoofing may aid in the evasion of security products. Generally, this method may also be used for\r\ngaining SYSTEM privileges, but in our case, the loader is already running as a system service. If the spoofing\r\nfails, the loader will run the backdoor without it.\r\nThe backdoor is executed with the command-line argument “-ser”.\r\nService Watchdog\r\nThe loader also sets a watchdog to ensure it remains operational. The watchdog module, lic.dll, is injected to a\r\nnewly spawned lsass.exe process.\r\nThe injection is implemented in inj.dll, which uses VirtualAllocEx and SetThreadContext to run shellcode in the\r\ntarget process. The shellcode loads a DLL and then jumps back to the previous instruction pointer of the thread.\r\nSubsequently, lic.dll begins to monitor the DriveGuard service, restarting it whenever it has stopped. In addition, it\r\nensures that the DriveGuard service is always configured to start automatically on system startup.\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 4 of 16\n\nFigure 5: The shellcode injected by inj.dll into lsass.exe\r\nBroker Backdoor\r\nThe backdoor component oversees receiving and executing commands from the C2 server. It runs only if it\r\nreceives the command-line argument “-ser”. Otherwise, it triggers a divide-by-zero exception. This is most likely\r\nan attempt to thwart dynamic analysis by automatic security products such as sandboxes.\r\nTo ensure that only one instance of the backdoor is running on the system, it creates an event called “Program\r\nevent”.\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 5 of 16\n\nFigure 6: Event created by the backdoor\r\nConfiguration\r\nThe backdoor’s configuration is stored encrypted in a file at C:\\Users\\Public\\Libraries\\cfg.dat. The encryption\r\nscheme used is XOR-based and can be decrypted by the following Python code. The hardcoded key is consistent\r\nthroughout all the samples in our possession.\r\ndef decrypt(encrypted):\r\nkey = '9c4arSBr32g6IOni'\r\nresult = ''\r\nfor i in range(len(encrypted)):\r\nkey_char = ord(key[i%16]) + 4\r\nenc_char = encrypted[i]\r\nresult_char = (key_char ^ enc_char) + 4\r\nresult += chr(result_char)\r\nreturn result\r\nFigure 7: Python implementation of the decryption routine for the configuration file\r\nThe decrypted configuration contains two sets of C2 and URI addresses, alongside a time interval, in seconds, that\r\ndetermines the frequency at which to contact the server. A random value between 0 and 2 seconds is added to the\r\ninterval to cause jitter.\r\nIf the configuration file does not exist, the malware uses plaintext configuration values hardcoded in the\r\nexecutable. In our samples, these values are identical to the ones in the configuration file.\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 6 of 16\n\nFigure 8: Decrypted backdoor configuration\r\nCommunicate Your “Boundries”\r\nThe main part of the malware oversees communication with the server, parsing its responses and executing\r\ncommands. The backdoor first sends a POST request, as can be seen in figure 9, to the first configured server. It\r\nalternates between contacting the two servers depending on their status, switching between them when they are\r\nunresponsive or return empty replies.\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 7 of 16\n\nFigure 9: HTTP POST request sent by the backdoor to the C2\r\nThe request looks like encoded HTML form data that is delimited by a boundary value which appears to contain a\r\nmisspelled \"BoundrySign\" string. The noteworthy fields in the request are token and data .\r\nThe data field contains information about the infected machine. The machine time zone has been chosen by the\r\nattackers for the purpose of regional attribution. This string is encrypted with the same algorithm and key that\r\nwere used to encrypt the configuration file.\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 8 of 16\n\nFigure 10: Format of victim information sent to the C2\r\nInterestingly, the malware fails to retrieve the correct OS version due to usage of the deprecated GetVersionEx\r\nAPI, which causes executables without updated manifests to invariably return the Windows 8 value while actually\r\nrunning on a newer operating system.\r\nThe token field is comprised of the hostname, username, and an ID. The hostname and username are encrypted\r\nwith a ROT5 Caesar cipher, meaning that 5 is added to each character’s ascii value. The encrypted result is then\r\nappended to the ID.\r\nFigure 11: Format of unique identifier sent to the C2\r\nThe ID is hardcoded in the binary and is a distinctive identifier of a specific target organization. Namely, backdoor\r\nbinaries are specially compiled per target before they are deployed by the threat actor.\r\nThe backdoor continually queries the server for commands. In the event of five consecutive unsuccessful queries,\r\nthe backdoor will switch to contacting the backup server. An unsuccessful query is considered to be one of the\r\nfollowing:\r\nThe server is unresponsive.\r\nThe parsed response starts with the byte 0xA.\r\nThe parsed response is empty.\r\nThe server response is parsed until the first “]” character and everything after is disregarded. If the response lacks\r\na “]” it is treated as an empty response.\r\nIf the parsed server response is “on”, the backdoor will continue to query the same server without switching to the\r\nbackup server. Any other response is treated as a command. As such, it is decrypted with the same algorithm and\r\nkey as specified previously. If the decrypted response data is self, the backdoor stops executing. Otherwise, it\r\nproceeds to parse the decrypted data as a command with the following format:\r\nFigure 12: Format of commands sent by the C2\r\nType – The command type. This can be one of the values from the “Type” column in the Commands table.\r\nArg1…Arg4 – The command arguments. Not all arguments are provided for every command, in which\r\ncase their value will be the string “null”.\r\nID – A unique identifier. This ID is sent to the server alongside the command results to associate the results\r\nwith the executed command.\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 9 of 16\n\nSupported Commands\r\nThe following is a list of the commands that the backdoor may receive from the server. Several commands involve\r\ndownloading additional DLLs from the server and executing them. The functionality of these modules is unknown\r\nat this time.\r\nType Description\r\nfe Directory listing (recursive).\r\nce Execute command line.\r\ndw Upload a file from the disk to the C2.\r\nup Download a file from the C2 and save to the disk.\r\nsb Download a DLL from the C2 and execute it using LoadLibrary, calling its “mainfunc” export.\r\ntlg Download a DLL from the C2 and execute it using LoadLibrary, calling its “mkb64” export.\r\nrns Download a DLL from the C2 and execute it using LoadLibrary, calling its “mkb64” export.\r\nint Update the interval field in the configuration.\r\nki\r\nDelete the malware from the disk using a CMD command.\r\nThis may potentially be used in conjunction with the self command for complete self-destruction.\r\nupd\r\nUpdate the tool by running CMD commands to replace the current module on the disk with a file\r\nreceived from the C2.\r\nho* Update the C2 and URI fields in the configuration.\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 10 of 16\n\ninf* Send the configuration content and the malware’s filename to the C2.\r\ncmprs*\r\n7-zip compress using ar.dll and ar.dat utilities. If they are not present on the disk, the tool\r\ndownloads them from the C2.\r\nsc**\r\nCapture a screenshot, saving it to C:\\Users\\Public\\Libraries\\tmp.bin before sending it unencrypted\r\nto the C2.\r\nkl**\r\nThe command name and its operation imply keylogger functionality.\r\nThe first time this command is received, the malware will download a DLL from the C2 and\r\nexecute it using LoadLibrary, calling its “strt” export. Upon subsequent receipts of this command,\r\nthe contents of C:\\Users\\Public\\Libraries\\async.dat will be sent to the C2.\r\nThis DLL most likely writes its output to that file. However, as it is not in our possession, we\r\ncannot confirm this.\r\nau**\r\nEstablish scheduled task persistence for itself using the following command:\r\nSCHTASKS /CREATE /TN \"Mozilla\\Firefox Default Browser Agent 409046Z0FF4A39CB\" /ST\r\n11:00 /F /SC DAILY /TR “\u003cCURRENT_EXECUTABLE\u003e”\r\nFigure 13: List of supported commands\r\n* Command present in the newer versions only\r\n** Command present in the older versions only\r\nHistory of Operations\r\nUsing Yara rules in VirusTotal’s retrohunt engine we detected two older samples of the backdoor. Both samples\r\nwere uploaded around the end of December 2020, which leads us to believe that this campaign has been operating\r\nfor at least a year. Until recently, they have been flying under the radar with a very low detection rate.\r\nFigure 14: VirusTotal entries of the older backdoor versions\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 11 of 16\n\nThe most notable differences between the versions are the configuration file and the commands.\r\nIn lieu of a configuration file, the older variants exclusively use values hardcoded in the binary. In terms of\r\ncommands, a few modifications have taken place in between the versions. As can be seen in figure 13, various\r\nnew commands have been added to the latest samples, while other commands have been eliminated. Although\r\ncommands were removed, we assess that the code might have been moved to one of the modules that can be\r\nfetched from the server.\r\nCertain modifications may aim to improve covertness and hinder detection. For example, the older samples were\r\nable to receive the “au” command to register a scheduled task using a command-line that was hardcoded in the\r\nbinary. On the other hand, in recent attacks, we observed task registration via a scheduled task XML file that was\r\ndropped by the backdoor.\r\nThe last minor difference between versions is the name of the event. Older versions created an event called\r\n“program Event”. This capitalization error was corrected in the recent versions.\r\nSearching for the C2 addresses in FortiGuard Labs’ threat intelligence systems shows a large spike in traffic\r\nvolume during April 2021. This indicates that the group was operational long before their initial public exposure.\r\nAll the network traffic to the malicious servers originated from Israeli IP addresses.\r\nFigure 15: FortiGuard Labs' historical data for C2 IP address\r\nFigure 16: FortiGuard Labs’ historical data for C2 domain name\r\nDuring our investigations, we were able to take over and sinkhole the techzenspace[.]com domain in the\r\nbeginning of January 2022. This was done to try and prevent the backdoor from operating for the near future while\r\nattempting to identify additional infected organizations that are not Fortinet customers.\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 12 of 16\n\nAttribution\r\nWe were able to attribute the iispool.aspx web shell to the Moses Staff group based on past research. Both the web\r\nshell path and its code are identical to the ones previously reported. Another recent publication referenced in the\r\nprevious section reaffirms our attribution.\r\nAll victims are Israeli organizations belonging to various industries. Although the attacks we identified did not\r\nreach a destructive stage, we can’t rule out the possibility that the backdoor is used before that to exfiltrate data\r\nfrom target networks.\r\nConclusion\r\nWe have been monitoring Moses Staff operations closely these past few months. We have analyzed new TTPs and\r\nattributed a new set of tools to the group, including a backdoor, a loader and a web shell.\r\nThe group is highly motivated, capable, and set on damaging Israeli entities. While they have been operating\r\ncontinuously and vigorously since late 2020, they were only publicly acknowledged about a year after. At this\r\npoint, they continue to depend on 1-day exploits for their initial intrusion phase.\r\nAlthough the attacks we identified were carried out for espionage purposes, this does not negate the possibility\r\nthat the operators will later turn to destructive measures. We believe that ransomware or wipers may have not been\r\ndeployed because FortiEDR blocked earlier stages of the attack.\r\nFortinet Protections\r\nFortiEDR detects and blocks these threats out-of-the-box without any prior knowledge or special configuration. It\r\ndoes this using its post-execution prevention engine to identify malicious activities:\r\nFigure 17: FortiEDR blocking the memory dumping attempt of lsass.exe\r\nFigure 18: FortiEDR blocking the backdoor communication\r\nAll network IOCs have been added to the FortiGuard WebFiltering blocklist.\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 13 of 16\n\nThe FortiGuard AntiVirus service engine is included in Fortinet’s FortiGate, FortiMail, FortiClient,\r\nand FortiEDR solutions. FortiGuard AntiVirus has coverage in place as follows:\r\nASP/Webshell.DW!tr\r\nW64/Agent.AVV!tr\r\nW32/Agent.UWN!tr\r\nW32/Agent.UYS!tr\r\nW64/Agent.AVS!tr\r\nW64/Agent.AVU!tr\r\nIn addition, as part of our membership in the Cyber Threat Alliance, details of this threat were shared in real time\r\nwith other Alliance members to help create better protections for customers.\r\nAppendix A – MITRE ATT\u0026CK Techniques\r\nID Description\r\nT1190 Exploit Public-Facing Application\r\nT1505.003 Server Software Component: Web Shell\r\nT1083 File and Directory Discovery\r\nT1003.001 OS Credential Dumping: LSASS Memory\r\nT1005 Data from Local System\r\nT1114 Email Collection\r\nT1569.002 System Services: Service Execution\r\nT1480 Execution Guardrails\r\nT1134.004 Access Token Manipulation: Parent PID Spoofing\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 14 of 16\n\nT1055 Process Injection\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nT1082 System Information Discovery\r\nT1033 System Owner/User Discovery\r\nT1573.001 Encrypted Channel: Symmetric Cryptography\r\nT1008 Fallback Channels\r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell\r\n T1113 Screen Capture\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nT1041 Exfiltration Over C2 Channel\r\nAppendix B: IOCs\r\nFile Hashes (SHA256)\r\n2ac7df27bbb911f8aa52efcf67c5dc0e869fcd31ff79e86b6bd72063992ea8ad (map.aspx)\r\nff15558085d30f38bc6fd915ab3386b59ee5bb655cbccbeb75d021fdd1fde3ac (agent4.exe)\r\ncafa8038ea7e46860c805da5c8c1aa38da070fa7d540f4b41d5e7391aa9a8079 (calc.exe)\r\nFile Names\r\niispool.aspx\r\nmap.aspx\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 15 of 16\n\ndrvguard.exe\r\nagent4.exe\r\ncalc.exe\r\ninj.dll\r\nlic.dll\r\nEvent Names\r\nprogram Event\r\nProgram event\r\nIPs\r\n87.120.8[.]210\r\nDomains\r\ntechzenspace[.]com\r\nURLs\r\nhxxp://87.120.8.210:80/RVP/index3.php\r\nhxxp://techzenspace.com:80/RVP/index8.php\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nhttps://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "report_names": [ "guard-your-drive-from-driveguard" ], "threat_actors": [ { "id": "527e04ee-7f5f-49aa-8653-f893b43730bd", "created_at": "2022-10-25T16:07:24.512541Z", "updated_at": "2026-04-10T02:00:05.017592Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Abraham's Ax", "Cobalt Sapling", "DEV-0500", "G1009", "Marigold Sandstorm", "Vengeful Kitten", "White Dev 95" ], "source_name": "ETDA:Moses Staff", "tools": [ "DCSrv", "DCrSrv", "PyDCrypt", "StrifeWater", "StrifeWater RAT" ], "source_id": "ETDA", "reports": null }, { "id": "bef06c82-0f51-44ba-8451-049cd4ad8a52", "created_at": "2023-01-06T13:46:39.325635Z", "updated_at": "2026-04-10T02:00:03.288171Z", "deleted_at": null, "main_name": "MosesStaff", "aliases": [ "Moses Staff", "Marigold Sandstorm", "DEV-0500", "VENGEFUL KITTEN" ], "source_name": "MISPGALAXY:MosesStaff", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4d0e4e1-5ad3-4455-8291-ce72a1e09e46", "created_at": "2022-10-27T08:27:13.055675Z", "updated_at": "2026-04-10T02:00:05.323068Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Moses Staff", "DEV-0500", "Marigold Sandstorm" ], "source_name": "MITRE:Moses Staff", "tools": [ "PyDCrypt", "PsExec", "DCSrv", "StrifeWater" ], "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a5293c8-2a88-4a33-927a-4a0c946dc867", "created_at": "2025-08-07T02:03:24.778647Z", "updated_at": "2026-04-10T02:00:03.647413Z", "deleted_at": null, "main_name": "COBALT SAPLING", "aliases": [ "Abraham's Ax ", "DEV-0500", "Marigold Sandstorm ", "Moses Staff ", "Vengeful Kitten " ], "source_name": "Secureworks:COBALT SAPLING", "tools": [ "DCSrv", "PyDcrypt", "StrifeWater RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434255, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d70bd166a950e8851f1496a523bea5ae1d5ce975.pdf", "text": "https://archive.orkl.eu/d70bd166a950e8851f1496a523bea5ae1d5ce975.txt", "img": "https://archive.orkl.eu/d70bd166a950e8851f1496a523bea5ae1d5ce975.jpg" } }