Operator dossier

Mosesstaff (also tracked as Moses Staff, Marigold Sandstorm, DEV-0500, VENGEFUL KITTEN) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 16 public victims claimed by this operator between December 18, 2021. MosesStaff is a relatively small ransomware group that emerged in December 2021, primarily motivated by ideological and political objectives rather than financial gain, specifically targeting Israeli organizations and entities. The group is believed to operate independently and has been linked to pro-Palestinian hacktivist activities, though their exact country of origin remains unclear based on publicly available intelligence. MosesStaff employs standard ransomware deployment techniques including data exfiltration prior to encryption, utilizing custom malware tools and focusing on complete data theft rather than traditional ransom demands, often publicly releasing stolen data on their leak sites as part of their destructive methodology. The group has conducted targeted attacks against Israeli companies and government entities, with their operations characterized by relatively low victim counts but high-impact data breaches designed to cause reputational and operational damage to their targets. MosesStaff remains active as of current intelligence reporting, continuing to conduct sporadic attacks aligned with their ideological motivations against Israeli interests.

Suspected origin: IR (community attribution, not authoritative).

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

Mosesstaff

aka Moses Staff, Marigold Sandstorm, DEV-0500, VENGEFUL KITTEN · 16 victims indexed · first seen 4 years ago · last activity 4 years ago

Victims indexed

#170 of 356 tracked operators

<1m

Active period

Dec 2021 → Dec 2021

—

Countries hit

At a glance

Status: inactive
Aliases: Moses Staff, Marigold Sandstorm, DEV-0500, VENGEFUL KITTEN
First seen: 4 years ago
Last activity: 4 years ago
Onion sites: 2 known endpoints
Suspected origin: 🇮🇷IR

About

MosesStaff is a relatively small ransomware group that emerged in December 2021, primarily motivated by ideological and political objectives rather than financial gain, specifically targeting Israeli organizations and entities. The group is believed to operate independently and has been linked to pro-Palestinian hacktivist activities, though their exact country of origin remains unclear based on publicly available intelligence. MosesStaff employs standard ransomware deployment techniques including data exfiltration prior to encryption, utilizing custom malware tools and focusing on complete data theft rather than traditional ransom demands, often publicly releasing stolen data on their leak sites as part of their destructive methodology. The group has conducted targeted attacks against Israeli companies and government entities, with their operations characterized by relatively low victim counts but high-impact data breaches designed to cause reputational and operational damage to their targets. MosesStaff remains active as of current intelligence reporting, continuing to conduct sporadic attacks aligned with their ideological motivations against Israeli interests.

References

4 links

External sources curated by the MISP threat-intel community.

Timeline

1 months

2021-12-01T00:00:00+00:002021-12-01T00:00:00+00:00

MITRE ATT&CK

12 techniques · 8 tactics

Tactics

Command And ControlDefense ImpairmentDiscoveryInitial AccessLateral MovementPersistenceResource DevelopmentStealth

Techniques

T1016System Network Configuration Discovery
T1021.002SMB/Windows Admin Shares
T1027.013Encrypted/Encoded File
T1082System Information Discovery
T1087.001Local Account
T1105Ingress Tool Transfer
T1190Exploit Public-Facing Application
T1505.003Web Shell
T1553.002Code Signing
T1587.001Malware
T1588.002Tool
T1686.003Windows Host Firewall

Recent victims

Loading…

Onion infrastructure

2 known

http://moses-staff.se
http://mosesstaffm7hptp.onion

Source

Updated 4 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Mosesstaff posts a victim.

Add Mosesstaff to your watchlist — Pro pings you within 5 minutes of any new Mosesstaff leak-site post, Telegram callout, or affiliate-rebrand inference.