← All Threat Actors
Threat Actor Profile

Moses Staff

DEV-0500 G1009 Marigold Sandstorm
▲ High Threat
Israeli Academic and Tech Phishing, Video Conferencing Collaboration Lures, State-Infrastructure Operational Leak
Origin Iran
Sponsor Government of Iran (IRGC-CEC)
Motivation Political espionage, sabotage, and anti-Israel ideological operations

Target Sectors

Government Critical Infrastructure Defense Finance Energy Academia Media Telecommunications

Known TTPs

Exploitation of public-facing applications (e.g., Microsoft Exchange)
Spear-phishing using malicious LNK files and MFA-intercepting React kits
Lateral movement via PsExec, WMIC, and PowerShell
Deployment of custom cryptographic wipers (PyDCrypt, DCSrv)
Telegram-based Command and Control (C2)
Disabling Windows Host Firewall via batch scripts
Use of obfuscated web shells for persistence

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD