COBALT SAPLING

COBALT SAPLING emerged in October 2021 with the Moses Staff persona, styling themselves as a pro-Palestinian hacktivist group with a stated aim of harassing and disrupting businesses and government entities in Israel. CTU researchers assess with moderate confidence that the group operates on behalf of Iran and should be considered an inauthentic hacktivist persona. Other similar groups appeared since 2020 such as COBALT FOXGLOVE and COBALT SHADOW.

COBALT SAPLING uses custom malware DCSrv and PyDCrypt to conduct ransomware style operations but without an associated ransom demand and profit motive. The malware acts as a cryptographic wiper, rendering data inaccessible with no offer from the threat actor to release keys in exchange for payment. PyDCrypt distributes DCSrv to hosts in the victim network. DCSrv uses the open-source encryption solution, DiskCryptor, to encrypt hard drive volumes on an infected host.

Moses Staff maintain a leak site, used to distribute data stolen from their victims and disseminate their messaging.

In November 2022 a new persona, Abraham's Ax emerged that CTU researchers assess is also linked to COBALT SAPLING. The group's iconography is reminiscent of Moses Staff as is the videography, infrastructure and leak sites used by the group, suggesting they are likely operated by the same entity. Abraham's Ax leaked data allegedly taken from government entities in Saudi Arabia.