Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Moses Staff

🌐Moses Staff

🌐 Moses Staff is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Criminal. We map 14 detection use cases to this actor across 12 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1009) ↗
14Use cases
0Articles
12Techniques
0IOCs

About this actor (MITRE)

[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.(Citation: Checkpoint MosesStaff Nov 2021) Security researchers assess [Moses Staff](https://attack.mitre.org/groups/G1009) is politically motivated, and has targeted government, finance, travel, energy,

Known aliases

Moses StaffDEV-0500Marigold Sandstorm

Top techniques

T1016 · System Network Configuration DiscoveryT1021.002 · SMB/Windows Admin SharesT1027.013 · Encrypted/Encoded File

All other tracked techniques

T1082 · System Information DiscoveryT1087.001 · Local AccountT1105 · Ingress Tool TransferT1190 · Exploit Public-Facing ApplicationT1505.003 · Web ShellT1553.002 · Code SigningT1587.001 · MalwareT1588.002 · ToolT1686.003 · Windows Host Firewall

Detection use cases (14)

Moses Staff DCSrv wiper service install (DiskCryptor-fork driver) AI · profile SΣ Moses Staff PyDCrypt loader fan-out via PsExec / WMI to admin shares AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host MITRE match Web-Server Process Post-Exploit Anchor: Plugin/Extension RCE Leading to Shell Spawn or Webroot Script Drop MITRE match Authentication not detected on admin API endpoint MITRE match