NEW: Group Profiler — instant APT intel lookup. Try it →

← threatfilter.dev / all groups / Agrius

Agrius

G1030 Iran MITRE ATT&CK →

Also known as: Pink Sandstorm · AMERICIUM · Agonizing Serpens · BlackShadow

Overview

Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets. Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).

Capabilities

Exploitation of public-facing / client applications — ATT&CK T1190
Custom malware/implant development — ATT&CK: 7 attributed custom malware families

TTPs — 22 techniques across 11 tactics

Resource Development

T1583 Acquire Infrastructure

Initial Access

T1190 Exploit Public-Facing Application

Execution

T1059.003 Windows Command Shell

Persistence

T1505.003 Web Shell
T1543.003 Windows Service

Stealth

T1036 Masquerading
T1078.002 Domain Accounts
T1140 Deobfuscate/Decode Files or Information

Defense Impairment

T1685 Disable or Modify Tools

Credential Access

T1003.001 LSASS Memory
T1003.002 Security Account Manager
T1110 Brute Force
T1110.003 Password Spraying

Discovery

T1018 Remote System Discovery
T1046 Network Service Discovery

Lateral Movement

T1021.001 Remote Desktop Protocol
T1570 Lateral Tool Transfer

Collection

Exfiltration

T1041 Exfiltration Over C2 Channel

Tools & malware (9)

NBTscan · Mimikatz · IPsec Helper · Moneybird · MultiLayer Wiper · DEADWOOD · BFG Agonizer · ASPXSpy · Apostle

Reporting (3)

Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors — Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan
How Microsoft names threat actors — Microsoft
AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS — Marc Salinas Fernandez & Jiri Vinopal