← threatfilter.dev / all groups / Agrius
Agrius
Also known as: Pink Sandstorm · AMERICIUM · Agonizing Serpens · BlackShadow
Overview
Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets. Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 7 attributed custom malware families
TTPs — 22 techniques across 11 tactics
Resource Development
-
T1583Acquire Infrastructure
Initial Access
Execution
-
T1059.003Windows Command Shell
Persistence
-
T1505.003Web Shell -
T1543.003Windows Service
Stealth
-
T1036Masquerading -
T1078.002Domain Accounts -
T1140Deobfuscate/Decode Files or Information
Defense Impairment
-
T1685Disable or Modify Tools
Credential Access
-
T1003.001LSASS Memory -
T1003.002Security Account Manager -
T1110Brute Force -
T1110.003Password Spraying
Discovery
-
T1018Remote System Discovery -
T1046Network Service Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1570Lateral Tool Transfer
Collection
-
T1005Data from Local System -
T1074.001Local Data Staging -
T1119Automated Collection -
T1560.001Archive via Utility
Exfiltration
Tools & malware (9)
NBTscan · Mimikatz · IPsec Helper · Moneybird · MultiLayer Wiper · DEADWOOD · BFG Agonizer · ASPXSpy · Apostle
Reporting (3)
- Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors — Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan
- How Microsoft names threat actors — Microsoft
- AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS — Marc Salinas Fernandez & Jiri Vinopal