Secureworks CTU researchers link Moses Staff and Abraham’s Ax as likely the same operator tied to COBALT SAPLING, based on similarities in iconography, videos, and leak-site infrastructure. The groups share multilingual WordPress leak sites, near-identical branding elements, and overlapping hosting origins, with operations focused on political disruption in Israel and Saudi Arabia. #MosesStaff #AbrahamsAx #COBALT_SAPLING #StrifeWater #PyDCrypt #DiskCryptor #DCSrv #Hezbollah #Unit8200 #Israel #SaudiArabia
Keypoints
- CTU researchers conclude Moses Staff and Abraham’s Ax are likely operated by the same entity, linked to COBALT SAPLING.
- Abraham’s Ax appeared in November 2022 and uses similar iconography and multilingual leak sites (Hebrew, Farsi, English) as Moses Staff.
- Both groups’ leak sites use WordPress, offer multiple languages, and have Tor-accessible versions, with domains registered under EgenSajt.se.
- Early infrastructure analysis shows Moses Staff and Abraham’s Ax leak sites hosted in nearby IP subnets, suggesting a single operator.
- Moses Staff discloses anti-Israeli, pro-Palestinian rhetoric and has leaked data from Israeli entities, with tools like PyDCrypt and DCSrv (a cryptographic wiper) involved.
- StrifeWater RAT (brokerhost.exe) is linked via shared web shells and auxiliary tools like DriveGuard; COBALT SAPLING appears active since 2020.
- Abraham’s Ax targets Saudi government ministries and claims Hezbollah Ummah ties, though no direct link to Hezbollah is established; videos emphasize sensational, Hollywood-style hacking visuals.
- CTU recommends mitigations using listed indicators, stressing careful handling of potentially malicious domains, IPs, and hashes.
MITRE Techniques
- [T1505.003] Web Shell – Used customized ASPX web shells to facilitate intrusions; “the StrifeWater RAT (also known as brokerhost.exe) has also been linked to the group based on technical overlaps between intrusions, such as the use of the same customized ASPX web shells.”
- [T1486] Data Encrypted for Impact – DCSrv encrypts data using the open-source DiskCryptor library and installs a custom bootloader message; “DCSrv encrypts data using the open-source DiskCryptor library and installs a custom bootloader message.”
Indicators of Compromise
- [Domain name] context – COBALT SAPLING leak sites (Moses Staff): moses-staff.se, and related Abraham’s Ax domains abrahams-ax.nu, abrahams-ax.se
- [IP address] context – Hosted COBALT SAPLING leak sites: 95.169.196.52, 95.169.196.55
- [SHA256] context – StrifeWater RAT (agent4.exe): ff15558085d30f38bc6fd915ab3386b5 9ee5bb655cbccbeb75d021fdd1fde3ac
- [SHA1] context – StrifeWater RAT (agent4.exe): 5cacfad2bb7979d7e823a92fb936c592 9081e691
- [MD5] context – StrifeWater RAT (agent4.exe): a70d6bbf2acb62e257c98cb0450f4fec
- [SHA256] context – StrifeWater RAT (calc.exe): cafa8038ea7e46860c805da5c8c1aa38 da070fa7d540f4b41d5e7391aa9a8079
- [SHA1] context – StrifeWater RAT (calc.exe): 76a35d4087a766e2a5a06da7e25ef76a 8314ec84
- [MD5] context – StrifeWater RAT (calc.exe): 63c4c31965ed08a3207d44e885ebd5e4
- [SHA256] context – StrifeWater RAT (broker.exe): 1d84159252ed3fc814074312b85f6299 3e0476b27c21eec6cc1cc5c5818467e7
- [SHA1] context – StrifeWater RAT (broker.exe): 7a5d75db6106d530d5fdd04332c68cd7 ccec287f
- [MD5] context – StrifeWater RAT (broker.exe): aba68c4b4482e475e2d4b9bf54761b95
Read more: https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff