Threat actor · all actors
Moses StaffG1009 unknown
aka Moses Staff, DEV-0500, Marigold Sandstorm
Last updated: 2026-07-03
About this actor
[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.(Citation: Checkpoint MosesStaff Nov 2021) Security researchers assess [Moses Staff](https://attack.mitre.org/groups/G1009) is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.(Citation: Cybereason StrifeWater Feb 2022)
Source: MITRE ATT&CK
Activity timeline
No activity events recorded.
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
| No attributed CVEs. | |||||
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
CM-6 | 11 / 20 | 55% |
SI-4 | 11 / 20 | 55% |
CM-7 | 9 / 20 | 45% |
AC-2 | 8 / 20 | 40% |
AC-3 | 8 / 20 | 40% |
CM-2 | 8 / 20 | 40% |
AC-6 | 7 / 20 | 35% |
AC-5 | 6 / 20 | 30% |
CM-5 | 6 / 20 | 30% |
IA-2 | 5 / 20 | 25% |
SI-3 | 5 / 20 | 25% |
SI-7 | 5 / 20 | 25% |
CA-7 | 4 / 20 | 20% |
AC-4 | 3 / 20 | 15% |
CM-8 | 3 / 20 | 15% |
Co-occurring actors
None.
Similar actors
Similar TTPs
- Play 0.25
- ShadowRay 0.24
- MirrorFace 0.23
- Cutting Edge 0.22
- BackdoorDiplomacy 0.21