Abrahams_Ax

Abrahams_Ax, first observed in November 2022, is not a Ransomware-as-a-Service (RaaS) operation but a politically motivated hacktivist persona. The group is linked to the Iranian-associated threat actor COBALT SAPLING, which previously operated as Moses Staff. It uses double-extortion tactics focused on stealing and leaking sensitive data rather than encrypting files. Infrastructure, visual branding, and operational patterns strongly resemble those of Moses Staff, suggesting a shared origin. Its most notable incident was the breach of the Saudi Arabian Ministry of Interior, where stolen data was published alongside propaganda content. The group’s targeting appears to align with Middle Eastern geopolitical interests, particularly against Israeli- and Saudi-linked entities. No encryption methods or file extensions are publicly documented, as encryption is not part of their operations.