Similarities between hacktivist groups reveal Iranian connection

Threat Level

Actor Report

For a detailed threat advisory, download the pdf file here

Summary

COBALT SAPLING is a threat actor group that is believed to be Iranian in origin. The group has been found to operate multiple hacktivist group personas, including Moses Staff and Abraham’s Ax. Researchers have investigated similarities between the two groups and found several commonalities in their iconography, videography and leak sites, suggesting that they are likely operated by the same entity. The Moses Staff group emerged in September 2021, and the Abraham’s Ax group emerged in November 2022.