Threat Actor Profile
Description
Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.(Citation: Checkpoint MosesStaff Nov 2021) Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.(Citation: Cybereason StrifeWater Feb 2022)
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (12)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Moses Staff', 'DEV-0500', 'Marigold Sandstorm'],
'created': '2022-08-11T22:47:27.686Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Moses Staff](https://attack.mitre.org/groups/G1009) is a '
'suspected Iranian threat group that has primarily targeted '
'Israeli companies since at least September 2021. [Moses '
'Staff](https://attack.mitre.org/groups/G1009) openly stated '
'their motivation in attacking Israeli companies is to cause '
'damage by leaking stolen sensitive data and encrypting the '
"victim's networks without a ransom demand.(Citation: "
'Checkpoint MosesStaff Nov 2021) \n'
'\n'
'Security researchers assess [Moses '
'Staff](https://attack.mitre.org/groups/G1009) is politically '
'motivated, and has targeted government, finance, travel, '
'energy, manufacturing, and utility companies outside of '
'Israel as well, including those in Italy, India, Germany, '
'Chile, Turkey, the UAE, and the US.(Citation: Cybereason '
'StrifeWater Feb 2022)',
'external_references': [{'external_id': 'G1009',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G1009'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'DEV-0500'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'Marigold Sandstorm'},
{'description': 'Checkpoint Research. (2021, November '
'15). Uncovering MosesStaff '
'techniques: Ideology over Money. '
'Retrieved August 11, 2022.',
'source_name': 'Checkpoint MosesStaff Nov 2021',
'url': 'https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/'},
{'description': 'Cybereason Nocturnus. (2022, '
'February 1). StrifeWater RAT: '
'Iranian APT Moses Staff Adds New '
'Trojan to Ransomware Operations. '
'Retrieved August 15, 2022.',
'source_name': 'Cybereason StrifeWater Feb 2022',
'url': 'https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations'},
{'description': 'Microsoft . (2023, July 12). How '
'Microsoft names threat actors. '
'Retrieved November 17, 2023.',
'source_name': 'Microsoft Threat Actor Naming July '
'2023',
'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}],
'id': 'intrusion-set--4c4a7846-45d5-4761-8eea-725fa989914c',
'modified': '2024-04-11T00:39:25.190Z',
'name': 'Moses Staff',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Hiroki Nagahama, NEC Corporation',
'Pooja Natarajan, NEC Corporation India',
'Manikantan Srinivasan, NEC Corporation India'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '2.0'}