Threat Actor Profile
Medium
Cybercriminal
Description
Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Cybereason Nocturnus describes Moses Staff as an Iranian '
'hacker group, first spotted in October 2021. Their motivation '
'appears to be to harm Israeli companies by leaking sensitive, '
'stolen data.',
'firstseen': '2021-12-18T16:06:44.987525+00:00',
'group': 'mosesstaff',
'has_negotiations': False,
'has_ransomnote': False,
'lastseen': '2021-12-18T16:06:45.338411+00:00',
'locations': [{'available': False,
'fqdn': 'moses-staff.se',
'slug': 'https://moses-staff.se/activities/',
'title': 'Database Error',
'type': 'DLS'},
{'available': False,
'fqdn': 'mosesstaffm7hptp.onion',
'slug': 'http://mosesstaffm7hptp.onion',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': False,
'locations': [{'available': False,
'fqdn': 'moses-staff.se',
'slug': 'https://moses-staff.se/activities/',
'title': 'Database Error',
'type': 'DLS'},
{'available': False,
'fqdn': 'mosesstaffm7hptp.onion',
'slug': 'http://mosesstaffm7hptp.onion',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'ransomware_live_group': 'mosesstaff',
'tools': {},
'url': 'https://www.ransomware.live/group/mosesstaff',
'victims': 16,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [],
'url': 'https://www.ransomware.live/group/mosesstaff',
'victims': 16,
'vulnerabilities': []}