Moses Staff Campaigns Against Israeli Organizations
The initial infiltration was accomplished by leveraging the ProxyShell exploit in Microsoft Exchange servers to allow an unauthenticated attacker to execute arbitrary commands on them through an exposed HTTPS port. As a result, the attackers were able to deploy two web shells:
C:/inetpub/wwwroot/aspnet_client/system_web/iispool.aspx
C:/inetpub/wwwroot/aspnet_client/system_web/map.aspx
These two web shells are used in conjunction with one another, and some of their functionalities overlap.
On numerous occasions, map.aspx was used to validate the results of the commands executed by iispool.aspx. Post infection, the attackers dedicated several days to the exfiltration of PST files and other sensitive data from the compromised server.
Next, they attempted to steal credentials by creating a memory dump of lsass.exe using a LOLBin.
Finally, the attackers dropped and installed the backdoor components.
Featured Resources
blog
EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110)
EXECUTIVE SUMMARY The Cymulate Research Labs is committed to advancing cybersecurity by scrutinizing emerging technologies and exposing hidden risks. Our
Solution Brief
Healthcare - Industry Brief
Healthcare Industry Under Attack Security leaders in the healthcare industry face significant challenges as threat actors target valuable data and
blog
AI Threat Detection: Supercharging Cyber Defenses with Intelligence & Scale
Security teams face an onslaught of ever-evolving threats, bloated alert queues and sprawling attack surfaces. Manual detection and periodic pen