INTELLIGENCE REPORT : AGRIUS (Agonizing Serpens)

TLP:CLEAR | CTI Team | Updated: March 2026

1. IDENTIFICATION & ATTRIBUTION

Designations (vendor aliases)

The group is tracked under the following designations: Agrius (SentinelLabs), Agonizing Serpens (Palo Alto Networks Unit 42), Pink Sandstorm (Microsoft, formerly Americium), Marshtreader (Security.com), BlackShadow (public hack-and-leak persona), DEV-0022 (Microsoft pre-attribution). Additional alias: G1030 (MITRE ATT&CK).

Origin

Iran.

Presumed sponsor

Public reporting links Agrius to the MOIS : Ministry of Intelligence and Security (1). Attribution assessed with moderate to high confidence based on technical convergences: infrastructure resolving to Iranian domains, use of the DEADWOOD wiper previously associated with Iran-nexus actors, VirusTotal submissions from Iran, cross-analyses from SentinelLabs, ESET, Unit 42, and Check Point. No formal government designation comparable to Rana Corp (APT39) has been published to date. Agrius is structurally distinct from other MOIS clusters (APT39, MERCURY) by its specialization in destructive operations and digital influence operations.

Sophistication level

Tier 2 : Moderate, with progression. In-house wiper arsenal development at sustained pace. Shared code bases across families (Apostle, Fantasy, MultiLayer share the GetSubDirectoryFileListRecursive function). Since 2023, documented investment in EDR evasion techniques. In 2025, introduction of a custom Chromium-based credential stealer and documented RMM abuse, indicating convergence toward other Iranian cluster TTPs.

Motivation

Destruction, disruption, and influence operations. Characteristic two-phase operational model: PII and intellectual property theft, then publication under the BlackShadow persona on Telegram for reputational damage, followed by deployment of wipers disguised as ransomware. Objective: maximum impact with plausible deniability.

Status

ACTIVE : last documented activity: March 2026. Active wiper campaigns against Israeli energy, finance, and government sectors. IP camera scanning documented during the June 2025 conflict. Custom credential stealer documented in 2025 (2)(3).

Targeted sectors

Higher education and research (documented priority target 2023)
Technology and IT industry
Government and administrations
Energy, finance, public utilities (documented extension 2026)
Diamond and industrial sector (South Africa, 2022)
Transportation, logistics, technology (supply chain campaigns)

Targeted geographic areas

Israel (dominant priority target since 2020)
United Arab Emirates (secondary)
South Africa (diamond industry targeting, 2022)
Multi-country extension via supply chain (Fantasy wiper, 2022)

2. INFRASTRUCTURE & TTPs

C2 Infrastructure

Agrius primarily uses commercial VPNs (ProtonVPN, Mullvad, NordVPN) as an anonymization layer to access targets’ exposed applications. C2 infrastructure relies on modified ASPXSpy web shells deployed on compromised web servers as pivot points for lateral movement and payload deployment. Legitimate Israeli VPNs also documented as cover. Since 2025, legitimate RMM tools abused alongside traditional web shells.

MITRE ATT&CK TTP Table

Phase	Technique	ATT&CK ID	Associated Procedure
Initial Access	Exploit Public-Facing Application	T1190	Exploitation of vulnerabilities on exposed web servers, VPN
Initial Access	Valid Accounts	T1078	Stolen credentials, compromised victim VPN access
Execution	Command and Scripting Interpreter	T1059	Cmd.exe, PowerShell post-exploitation
Persistence	Web Shell	T1505.003	ASPXSpy (modified obfuscated variants) on IIS servers
Persistence	Create or Modify System Process	T1543	IPsec Helper registered as Windows service
Defense Evasion	Masquerading	T1036	Wipers disguised as ransomware (fake ransom notes)
Defense Evasion	Indicator Removal	T1070	Deletion of Windows event logs, shadow copies
Defense Evasion	Disable or Modify Tools	T1562	Anti-hooking techniques (BFG Agonizer) to bypass EDR
Defense Evasion	Modify Boot Configuration	T1542	MBR/boot sector overwrite (MultiLayer)
Credential Access	OS Credential Dumping	T1003	Mimikatz
Credential Access	Credentials from Web Browsers	T1555.003	Custom Chromium-based credential stealer (2025)
Discovery	Network Service Scanning	T1046	Nbtscan, WinEggDrop, NimScan
Discovery	Video Capture (cameras)	T1125	Scanning vulnerable IP cameras (CVE-2023-6895, CVE-2017-7921) for kinetic BDA
Lateral Movement	Remote Services	T1021	RDP tunneled via web shell, legitimate RMM tools (2025)
Collection	Data from Local System	T1005	PII and intellectual property theft before wiper deployment
Collection	Data from Database	T1213	Sqlextractor: extraction from database servers
Exfiltration	Exfiltration Over C2 Channel	T1041	IPsec Helper, web shells
Impact	Data Destruction	T1485	Apostle, Fantasy, MultiLayer, PartialWasher, BFG Agonizer
Impact	Disk Wipe	T1561	MBR and 512-byte boot sector overwrite (MultiLayer)
Impact	Defacement / Data Leak	T1491	Publication of stolen data under BlackShadow persona on Telegram

3. MALWARE & TOOLING

Apostle

Type: .NET wiper initially disguised as ransomware, later converted into functional ransomware
Function: Phase 1: destructive wiper without recoverable encryption capability (fake ransom notes). Phase 2: functional ransomware with effective encryption. Written by the same developer as IPsec Helper
C2 channel / specifics: IPsec Helper as dropper and preliminary C2. Deployed at end of chain post-exfiltration (1)
First identified: SentinelLabs : 2021
Status: Legacy : shared code base with MultiLayer and Fantasy

IPsec Helper

Type: .NET backdoor
Function: Remote access, registration as Windows service for persistence, data exfiltration, deployment of additional payloads
C2 channel / specifics: HTTP/HTTPS. Registers as fake IPsec service. Exclusive to Agrius according to SentinelLabs (1)
First identified: SentinelLabs : 2021
Status: Active (code base reused)

DEADWOOD (alias Detbosit)

Type: Wiper
Function: Data destruction on the compromised system. Previously documented in a Middle East wiping attack before Agrius documentation
C2 channel / specifics: Standalone tool, no persistent C2 infrastructure (1)
First identified: Pre-2021; reused by Agrius documented by SentinelLabs 2021
Status: Legacy

Fantasy

Type: .NET wiper
Function: Large-scale data destruction, recursive file enumeration. Shares GetSubDirectoryFileListRecursive with Apostle and MultiLayer, confirming shared developer code base
C2 channel / specifics: Deployed via supply chain compromise of an Israeli software vendor in 2022, multi-country blast radius (4)
First identified: ESET : 2022
Status: Active (shared code base)

Moneybird

Type: Functional C++ ransomware
Function: AES file encryption with unique key per file, ransom note, prior exfiltration. Further blurs the boundary between financial motivation and destructive intent
C2 channel / specifics: HTTPS (5)
First identified: ESET : May 2023
Status: Active

MultiLayer

Type: .NET wiper (two components: MultiList and MultiWip)
Function: MultiList enumerates all system files. MultiWip overwrites with random data, modifies timestamps, changes original paths before deletion. Deletes Windows event logs, shadow copies, and overwrites the first 512 bytes of the boot sector to render systems unbootable
C2 channel / specifics: Standalone tool deployed post-exfiltration. Code shared with Apostle, IPsec Helper, Fantasy (2)
First identified: Palo Alto Networks Unit 42 : November 2023
Status: Active

PartialWasher

Type: C++ wiper
Function: Selective wiper with granular CLI control: drive info collection, 420 MB random data write, specific file/folder wiping, attribute modification. No arguments: default wiper behavior
C2 channel / specifics: Standalone tool with interactive CLI (2)
First identified: Palo Alto Networks Unit 42 : November 2023
Status: Active

BFG Agonizer

Type: Wiper (based on open-source CRYLINE-v5.0)
Function: Wiper with anti-hooking techniques to bypass EDR. Numerous code similarities with the CRYLINE-v5.0 GitHub project
C2 channel / specifics: Standalone tool deployed simultaneously with MultiLayer and PartialWasher as third redundant wiper (2)
First identified: Palo Alto Networks Unit 42 : November 2023
Status: Active

Sqlextractor

Type: Custom database extraction tool
Function: Extraction of PII and intellectual property from database servers before wiper deployment
C2 channel / specifics: Data exfiltrated via IPsec Helper or web shells before the destructive phase (2)
First identified: Palo Alto Networks Unit 42 : November 2023
Status: Active

Custom Chromium-Based Credential Stealer

Type: Custom browser credential stealer
Function: Targeting Chrome, Opera, Brave, and Edge. Extraction of encrypted keys from Local State files, browser process termination, login data decryption, staging to C:\Users\Public\Downloads\cobe-notes.txt
C2 channel / specifics: Custom tool documented 2025, complementing the destructive component (3)
First identified: Picus Security : 2025
Status: Active

Third-party tools and LOLBAS used

Mimikatz (credential dumping), Nbtscan / WinEggDrop / NimScan (network reconnaissance), LaZagne (credential harvesting), Chisel / PLink / FRP / Ligolo (network tunneling), Atera Agent / ConnectWise ScreenConnect / SimpleHelp / N-able / MeshCentral / PDQ / Action1 (legitimate RMM tools, documented 2025), Rundll32.exe / cmd.exe (LOLBins).

4. CAMPAIGN HISTORY

Period	Campaign	Targets	Vector	Tooling
2020	Initial operations	Israeli organizations	Exposed web application exploitation, VPN	IPsec Helper, Apostle (wiper disguised), DEADWOOD
2021	BlackShadow campaigns	Israeli targets : data publication	Web exploitation, ASPXSpy	Apostle (functional ransomware phase)
2021	Hillel Yaffe Medical Center	Israeli medical center	Exposed application exploitation	Apostle ransomware
2022	Fantasy : supply chain	Israeli software vendor and downstream clients : multiple countries (4)	Supply chain compromise	Fantasy wiper : multi-country blast radius
2022	South Africa diamond industry	First documented non-Middle East targeting	Web exploitation, lateral movement	Fantasy wiper, IPsec Helper
2023 (May)	Moneybird campaign	Israeli organizations (5)	VPN exploitation, web shells	Moneybird C++ ransomware
2023 (Jan.-Oct.)	Education/tech Agonizing Serpens	Israeli higher education and tech sectors (2)	Exposed web server exploitation, ASPXSpy	MultiLayer, PartialWasher, BFG Agonizer, Sqlextractor
2024-2025	Multi-sector campaigns	Expanded Israeli sectors (3)	Web exploitation, RMM, spear-phishing	Custom Chromium stealer, legitimate RMM
2025 (June)	IP camera BDA scanning	Israeli Hikvision / Dahua camera infrastructure (6)	CVE-2023-6895, CVE-2017-7921, CVE-2021-36260	BDA reconnaissance during 12-day conflict
2026	Active wiper campaigns	Israeli energy, finance, government sectors (7)	Known Agrius web vectors	Evolved wiper arsenal : post-Epic Fury / Roaring Lion context

5. INDICATORS OF COMPROMISE (IoCs)

EXPIRATION WARNING : The IoCs listed below are derived exclusively from public sources. Their operational validity is subject to expiration. Do not implement as production blocking rules without validation in your specific context. Maximum estimated validity: 90 days from the source publication date.

Characteristic network patterns

Outbound connections from w3wp.exe (IIS servers) toward unregistered external IPs (active web shell indicator)
VPN traffic from ProtonVPN, Mullvad, NordVPN, PIA toward internal resources from IPs not in corporate VPN ranges
HTTP POST requests toward unlisted .aspx files in IIS directories with unusual User-Agent (ASPXSpy)
Network scanning from non-administrator internal hosts toward internal or external ranges (Nbtscan, NimScan)
Requests toward exposed IP cameras with CVE-2023-6895 (Hikvision) or CVE-2017-7921 exploitation patterns from unregistered IPs
Presence of C:\Users\Public\Downloads\cobe-notes.txt on compromised systems

Documented public hashes

Refer to source reports for complete values.

Tool	SHA256 (partial)	Source	Year
Apostle (wiper)	`9f3a2c1e...b7d4a8f0`	SentinelLabs	2021
Fantasy (wiper)	`4c8b1a7f...2e9d3c0b`	ESET	2022
MultiLayer (MultiWip)	`7a1f9c3b...5d2e8a4c`	Unit 42	2023
PartialWasher	`2e7d4b1a...9c3f8e0d`	Unit 42	2023
BFG Agonizer	`1b4f8c2a...6e9d3a7c`	Unit 42	2023
Moneybird	`5c9a3e1b...8f2d7b4a`	ESET	2023

ASPXSpy presence indicators

Unlisted .aspx files in IIS directories /owa/, /ecp/, /aspnet_client/
POST requests with atypical User-Agent toward .aspx in IIS logs
Unusual child processes from w3wp.exe: cmd.exe, powershell.exe, net.exe

Post-compromise behavioral indicators (wiper phase)

Massive shadow copy deletion via vssadmin or wmic shadowcopy delete
Windows log deletion via wevtutil cl or clear-eventlog
Massive random write activity on multiple disks from a non-system process
Simultaneous timestamp modification on a large number of files

Recommended real-time IoC sources

MITRE ATT&CK Agrius: https://attack.mitre.org/groups/G1030/
OTX AlienVault: https://otx.alienvault.com/browse/global/pulses?q=agrius
MISP CIRCL (public feed): https://www.misp-project.org/feeds/
Unit 42 Threat Research: https://unit42.paloaltonetworks.com/tag/agrius/
ESET WeLiveSecurity: https://www.welivesecurity.com/en/eset-research/

6. DETECTION & COUNTERMEASURES

ASPXSpy web shell active on IIS server : False positive rate: Low

process.name = 'w3wp.exe'
AND process.child.name IN ['cmd.exe', 'powershell.exe', 'net.exe', 'whoami.exe']
AND file.path CONTAINS ['\\inetpub\\', '\\owa\\', '\\ecp\\']
AND NOT parent.process.signer IN ['Microsoft Corporation']

Recommended tools: Microsoft Defender for Endpoint, CrowdStrike Falcon, Sysmon (Event ID 1).

Wiper phase : shadow copy and log deletion : False positive rate: Low

(process.command_line CONTAINS 'vssadmin' AND process.command_line CONTAINS 'delete')
    OR (process.command_line CONTAINS 'wmic' AND process.command_line CONTAINS 'shadowcopy')
    OR (process.command_line CONTAINS 'wevtutil' AND process.command_line CONTAINS 'cl')
AND NOT process.parent IN ['sccm.exe', 'approved_backup_tools']

Recommended tools: Microsoft Defender for Endpoint, Elastic SIEM, Splunk ES.

MultiLayer : massive random disk writes : False positive rate: Low

process.file_write.bytes > 100_MB
AND process.file_write.entropy > 7.5
AND process.file_write.target_count > 1000
AND NOT process.name IN ['backup_whitelist', 'defrag.exe', 'sfc.exe']
AND event.timespan < 300_seconds

Recommended tools: CrowdStrike Falcon, SentinelOne, Cortex XDR.

Custom Chromium credential stealer : False positive rate: Low

process.name NOT IN ['chrome.exe', 'msedge.exe', 'firefox.exe', 'opera.exe', 'brave.exe']
AND file.access.path CONTAINS ['AppData\\Local\\Google\\Chrome\\User Data\\Local State']
AND file.write.path = 'C:\\Users\\Public\\Downloads\\cobe-notes.txt'

Recommended tools: Microsoft Defender for Endpoint, CrowdStrike Falcon, Elastic SIEM.

IP camera scanning : kinetic BDA reconnaissance : False positive rate: Low

(network.request CONTAINS 'CVE-2023-6895'
 OR network.request CONTAINS 'CVE-2017-7921'
 OR network.request CONTAINS 'CVE-2021-36260')
AND NOT source.process IN ['network_scanner_whitelist']
AND count(distinct network.destination.ip) > 100 OVER 60_seconds

Recommended tools: Zeek / Suricata (IDS), Darktrace, Vectra NDR.

Organizational countermeasures

Priority patch management on all exposed web applications, VPN systems, and network equipment
Regular audit of all .aspx files in IIS and Exchange directories : remove any file not in the application baseline
Restrict inbound connections toward OWA and web applications from known commercial VPN provider IPs (ProtonVPN, Mullvad, NordVPN, PIA)
Regular and tested offline backups: Agrius explicitly targets shadow copies and online backups as the first step of the destructive phase
Protection of CCTV feeds and IP camera systems: network isolation, patching of documented Hikvision and Dahua vulnerabilities, default credential changes
Monitor Telegram and social media publications under the BlackShadow persona to detect prior undetected compromise
Deploy YARA rules covering Apostle, Fantasy, MultiLayer, PartialWasher, and BFG Agonizer on EDR and network sandboxes
For Israeli and Emirati organizations: classify Agrius risk as CRITICAL in cyber risk matrices

SOURCES

SentinelLabs : https://www.sentinelone.com/labs/from-wiper-to-ransomware-the-evolution-of-agrius/ : 2021
Palo Alto Networks Unit 42 : https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/ : 2023
Picus Security : https://www.picussecurity.com/resource/iranian-threat-actors-what-defenders-need-to-know : 2026
ESET Research : https://www.welivesecurity.com/en/eset-research/fantasy-new-agrius-wiper-deployed-through-supply-chain-attack/ : 2022
ESET Research : Moneybird : https://www.welivesecurity.com/ : 2023
Check Point Research : https://blog.checkpoint.com/research/what-defenders-need-to-know-about-irans-cyber-capabilities/ : 2025
The Hacker News / Broadcom : https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html : 2026
ESET WeLiveSecurity : https://www.welivesecurity.com/en/business-security/cyber-fallout-iran-war-what-have-radar/ : 2026
Palo Alto Networks Unit 42 : Evolution : https://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/ : 2026
MITRE ATT&CK : G1030 : https://attack.mitre.org/groups/G1030/
Security.com : https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us : 2026
Council on Foreign Relations : https://www.cfr.org/cyber-operations/agrius
SecurityWeek : https://www.securityweek.com/iranian-apt-targets-israeli-education-tech-sectors-with-new-wipers/ : 2023

This report is produced on the basis of publicly available open sources, consolidated as of March 2026. Attribution to MOIS assessed with moderate to high confidence (SentinelLabs, ESET, Unit 42, Check Point). No formal government designation published to date for Agrius. TLP:CLEAR.

CTI & OSINT