PyDCrypt

Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines.

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

PyDCrypt is a program written in Python and built with PyInstaller that is used to infect other computers on the network and ensure that the main payload DCSrv is executed properly.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Examples include 'Mosquito’s installer is obfuscated with a custom crypter,' 'PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the --key flag,' and 'Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder.'

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.

PyDCrypt is a program written in Python and built with PyInstaller that is used to infect other computers on the network and ensure that the main payload DCSrv is executed properly.

Overall, the leaked data seems to be the result of hacking operations by Moses Staff: the files seem to have been exfiltrated through the use of malware from computers belonging to the targeted organization...

Their main activity is to damage Israeli companies by stealing and publishing sensitive data... The archive was first published by Moses Staff in June 2022, it included leaked data from multiple companies in Israel.