Iran6 malware familiesExploits CVEs in the wild

Moses Staff

Also known asDEV-0500DEV-500Marigold Sandstormmoses_staffmosesstaffVENGEFUL KITTEN

Moses Staff is an alleged Iranian threat actor, also tracked as DEV-0500 / DEV-500, Marigold Sandstorm, MosesStaff, and Vengeful Kitten. The group was first identified on underground forums in September 2021. Reporting in the provided content states that Moses Staff primarily targets Israeli organizations, stealing and publishing sensitive data, and has also targeted organizations in Italy, India, Germany, Chile, Turkey, the UAE, and the United States. The content describes the group as primarily disruptive rather than financially motivated, noting that it typically does not provide a practical way for victims to pay a ransom and decrypt data. Observed tradecraft in the provided content includes exploitation of public-facing applications, including known vulnerabilities in Microsoft Exchange servers (T1190); use of obfuscated web shells (T1505.003) and IIS components (T1505.004) for persistence; command and scripting interpreter execution (T1059); system network configuration discovery such as collecting the domain name of a compromised network (T1016); system information discovery including collecting infected host machine names and OS architecture; and defense evasion through disabling or modifying the system firewall (T1562.004). The group has used the legitimate open-source DiskCryptor utility, including signed drivers from DiskCryptor, to evade detection and encrypt volumes. The content also associates Moses Staff with custom tools including PyDCrypt, DCSrv, and StrifeWater. PyDCrypt is described as a Python program built with PyInstaller that spreads within a network and ensures execution of DCSrv; DCSrv masquerades as svchost.exe, blocks access to the computer, and encrypts volumes using DiskCryptor; and StrifeWater is described as a stealthy RAT used early in attacks to cover traces, execute remote commands, and capture the screen. The provided content also notes that a June 2022 Moses Staff leak archive contained data from multiple Israeli companies, and that later Cyber Av3ngers claims regarding Dorad reused material from that earlier Moses Staff leak. The same reporting explicitly states that no evidence was found linking Cyber Av3ngers to Moses Staff.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

35 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics44 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1595

Active Scanning

TA0042

Resource Development

3 techniques

T1587

Develop Capabilities

T1587.001

Malware

T1588

Obtain Capabilities

T1588.002×3

Tool

T1608

Stage Capabilities

T1608.001

Upload Malware

T1608.002

Upload Tool

TA0001

Initial Access

2 techniques

T1133×3

External Remote Services

T1190×24

Exploit Public-Facing Application

TA0002

Execution

1 technique

T1059×2

Command and Scripting Interpreter

T1059.006

Python

TA0003

Persistence

2 techniques

T1133×3

External Remote Services

T1505

Server Software Component

T1505.003×6

Web Shell

T1505.004

IIS Components

TA0005

Stealth

2 techniques

T1027×5

Obfuscated Files or Information

T1027.013×2

Encrypted/Encoded File

T1036

Masquerading

TA0112

Defense Impairment

1 technique

T1553

Subvert Trust Controls

T1553.002×2

Code Signing

TA0006

Credential Access

2 techniques

T1187

Forced Authentication

T1557

Adversary-in-the-Middle

T1557.001

Name Resolution Poisoning and SMB Relay

TA0007

Discovery

4 techniques

T1016×5

System Network Configuration Discovery

T1018

Remote System Discovery

T1082×8

System Information Discovery

T1087

Account Discovery

T1087.001×2

Local Account

T1087.002

Domain Account

TA0008

Lateral Movement

2 techniques

T1021

Remote Services

T1021.002×4

SMB/Windows Admin Shares

T1570

Lateral Tool Transfer

TA0009

Collection

2 techniques

T1113

Screen Capture

T1557

Adversary-in-the-Middle

T1557.001

Name Resolution Poisoning and SMB Relay

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001×2

Web Protocols

T1105×7

Ingress Tool Transfer

T1219

Remote Access Tools

TA0010

Exfiltration

2 techniques

T1041×2

Exfiltration Over C2 Channel

T1537

Transfer Data to Cloud Account

TA0040

Impact

2 techniques

T1486×2

Data Encrypted for Impact

T1490

Inhibit System Recovery

ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DCSrvDCSrv is a malicious process masquerading as the legitimate “svchost.exe” process. DCSrv blocks all access to the computer and encrypts all its volumes using the legitimate open-source encryption utility DiskCryptor.2May 26, 2026

DiskCryptorDCSrv blocks all access to the computer and encrypts all its volumes using the legitimate open-source encryption utility DiskCryptor.2May 26, 2026

ImpacketThe following analytic detects the use of Impacket's wmiexec.py tool for lateral movement by identifying specific command-line parameters.2Mar 17, 2026

PyDCryptthe files seem to have been exfiltrated through the use of malware from computers belonging to the targeted organization, and this behavior has been carried out by this threat actor using custom tools, such as PyDCrypt, DCSrv, and StrifeWater. PyDCrypt is a program written in Python and built with PyInstaller that is used to infect other computers on the network and ensure that the main payload DCSrv is executed properly.2May 26, 2026

PsExecThe following analytic identifies the execution of PsExec.exe with the accepteula flag in the command line... PsExec is commonly used by threat actors to execute code on remote systems... potentially leading to further system compromise and lateral movement within the network.1Mar 17, 2026

1 additional family tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

7 CVEs this actor has used in observed campaigns. 7 of them exploited in the wild.

CVE-2021-31207Post-auth arbitrary file write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34473ProxyShell pre-auth SSRF/authentication bypass in Microsoft Exchange AutodiscoverIn the wildEvidence1

CVE-2021-34523Microsoft Exchange PowerShell Backend Elevation of Privilege (ProxyShell)In the wildEvidence1

CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection RCEIn the wildEvidence1

The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence... This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise.

CVE-2022-41040ProxyNotShell SSRF in Microsoft Exchange ServerIn the wildEvidence1

2 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

40 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

40 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Apr 13, 2026

Detection: Windows Metasploit Confluence Plugin Execution | Splunk Security Content

Listed as a threat actor associated with the detection for Metasploit-based Atlassian Confluence exploitation activity.

splunk researchNews

Apr 13, 2026

Detection: Windows Potential Web Shell Creation For VMware Workspace ONE | Splunk Security Content

Listed as a threat actor associated with web shell persistence activity in the context of this VMware Workspace ONE web shell detection.

splunk researchNews

Apr 13, 2026

Detection: Windows Unusual File Creation in Confluence Directory | Splunk Security Content

Listed as a threat actor associated with exploitation of public-facing applications and malware/tool upload activity relevant to Confluence exploitation detection.

splunk researchNews

Apr 13, 2026

Detection: Windows TeamCity Payload Execution from Temp Directory | Splunk Security Content

Listed as a threat actor associated with the TeamCity payload execution detection covering exploitation of a public-facing application, web shell persistence, and command/scripting interpreter execution.

+169 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping35

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs7

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables40

Domains, IPs, and hashes tied to this actor, refreshed continuously.