Go to listing page

Cobalt Sapling Uses Multiple Personas for Pro-Iranian Missions

Cobalt Sapling Uses Multiple Personas for Pro-Iranian Missions
Researchers linked the activities of the politically motivated hacker known as Moses Staff with another recently identified threat named Abraham's Ax. Both are thought to be two different identities known to be working jointly for a common group named Cobalt Sapling.

Diving into details

Researchers from SecureWorks identified multiple common characteristics, including the use of videography, iconography, leak sites, and toolsets for both sub-groups.
  • They operate without any financial incentives, and their attacks are carried out to disrupt the victim’s digital infrastructure, unseeking any financial gains. 
  • They were found using the same subnet to host their WordPress-based leak sites in their early stages. Moreover, the leak site of Abraham's Ax appears to mirror the same icons, videos, and stock images as that of Moses Staff.
  • Moreover, they rely on the same custom cryptographic wiper malware for encrypting the victim’s data.

The overlaps in the operations and motivations of both point toward a common threat group, which is Cobalt Sapling.

A brief about Abraham's Ax

Abraham's Ax was first observed in November 2022, with clear motivations of carrying out information operations designed to destabilize delicate Israel-Saudi Arabia relations.
  • The group targets Saudi Arabian government ministries. This is likely done against Saudi Arabia’s increasing role in improving the relationship between Israel and Arab nations.
  • It claims to be working on behalf of the Hezbollah Ummah, however, there is no major evidence to support this claim.

Moses Staff 

Moses Staff claims to be an anti-Israel group, thought to be working under the sponsorship of the Iranian government.
It is known to sabotage its targets using tools different tools such as StrifeWater RAT and the open-source utility, DiskCryptor. 
Its pro-Palestinian operations are aimed at exposing the crimes of the Zionists in occupied Palestine.

Complementary missions 

According to the report, the new persona Abraham's Ax is not meant to replace the existing Moses Staff, but to carry out additional activities.
  • The leak site and the Telegram channel of Moses Staff remained active even after the emergence of Abraham’s Ax.
  • While Moses Staff’s operations directly target the interests of the Israeli government, Abraham's Ax has been observed targeting other countries, including Saudi Arabia, working on improving the relationship between Israel and Arab nations.

Ending notes

In the past few years, several hacktivist groups have emerged claiming to operate against the enemies of Iran. To stay protected, experts recommend organizations audit the access controls by leveraging the available IOCs. Subscribe to our CSAP program to receive IOCs and other quick threat updates.
Cyware Publisher