A relatively new cybercrime organization, Moses Staff, has taken credit for multiple attacks targeting Israeli companies. Since its inception, the APT has been actively breaching networks, purely for political and destructive purposes. 


  • In September 2021, CheckPoint researchers first spotted activities related to the Moses Staff hacking group.
  • The group is the third of its kind that majorly targets Israeli organizations, after Pay2Key and Black Shadow attack groups.
  • Researchers noted that the politically-motivated hacking group did not engage in a ransom negotiation process after encrypting a victim’s data.  
  • It leveraged old vulnerabilities such as unpatched Microsoft Exchange servers to breach networks. They used PSExec, WMIC, and PowerShell to move deeper inside the victim’s network.
  • The hackers also operate a Telegram channel and Twitter account where they announce new victims they add to their leak site.

What’s the latest update?

  • As per a new update shared by Cybereason Nocturnus Team, the APT group has made improvements in tactics and techniques to target several organizations located across Italy, India, Germany, China, Turkey, the UAE, and the U.S.
  • The hacker group has also been associated with a new StrifeWater RAT that is capable of capturing screenshots, executing malicious commands, and downloading additional extensions.
  • A variant of PyDCrypt, StrifeWater RAT was used by Moses Staff in the initial stage of the attack. 
  • In a different finding, the Iran-backed threat actors were blamed for exploiting various Microsoft Exchange servers for targeting Israeli organizations. As a part of this attack campaign that spanned for several months, Moses Staff had used a new set of tools, including a backdoor, a loader, and a web shell. 


Moses Staff operators are making conscious efforts to stay under the radar and avoid detection until the last phase of the attacks. While the initial campaigns were focused on sabotaging government, military, and civilian organizations in Israel, the group has begun to set its eyes on other organizations across other countries. Additionally, the continuous development of its attack arsenal indicates the potential for many more sophisticated attacks in the future. 

Cyware Publisher