agrius

Agrius

also known as: Agonizing Serpens Pink Sandstorm BlackShadow AMERICIUM DEV-0022 SharpBoys UNC2428 SPECTRAL KITTEN

An Iran-aligned destructive unit that pioneered the "wiper-as-ransomware" playbook — deploying malware that destroys data while demanding payment, providing cover for state-directed sabotage as cybercrime. Active since 2020 with a primary focus on Israeli targets, Agrius has operated under multiple personas and progressively escalated its capability, moving from early wiper disguises through a full supply-chain compromise, and into EDR-bypass-focused multi-wiper campaigns against Israeli higher education and technology sectors. Confirmed active through 2025, including infrastructure scanning during the June 2025 Israel-Iran conflict.

attributed origin Iran

suspected sponsor MOIS (Ministry of Intelligence and Security)

first observed 2020

primary motivation Destructive sabotage and data theft disguised as ransomware; reputational damage via leaked PII

primary targets Israel — higher education, technology, defense, diamond industry; UAE; South Africa

known campaigns 6+ confirmed

mitre att&ck group G1030

target regions Israel (primary), UAE, South Africa, Hong Kong

threat level CRITICAL

Overview

Agrius was first identified and named by SentinelOne in May 2021, after researchers discovered what initially appeared to be a ransomware campaign against Israeli targets was in fact a series of wiper attacks disguised with ransom notes. The group had been operating since at least early 2020, initially using a known wiper called DEADWOOD (also known as Detbosit) before developing its own custom toolchain. Attribution to Iran rests on multiple indicators: web shell variants uploaded to VirusTotal from Iranian IP addresses, operational targeting patterns consistent with MOIS priorities, and tool and tactic overlaps with other Iranian clusters.

What makes Agrius strategically significant is the sophistication of its deception model. Early versions of its custom Apostle malware lacked functional decryption capability — the ransom note was purely cosmetic, designed to make state-sponsored destruction look like criminal extortion. This "wiper-as-ransomware" approach complicates incident triage, wastes defender response time, and provides Iran with plausible deniability. Over time Agrius evolved Apostle into functional ransomware (likely for additional operational flexibility), then introduced the Fantasy wiper — which abandoned the ransomware disguise entirely — and in 2023 deployed a third generation of wipers (MultiLayer, PartialWasher, BFG Agonizer) specifically engineered to bypass EDR solutions.

Agrius operates under a rotation of hacktivist-branded personas — most notably BlackShadow — to amplify the psychological impact of its operations. After stealing PII and intellectual property, the group publishes exfiltrated data on Telegram channels and social media to sow fear and inflict reputational damage on its targets, pairing data destruction with an information operations component. During the June 2025 Israel-Iran conflict, Check Point Research observed Agrius-linked infrastructure actively scanning for vulnerable IP cameras across Israel, consistent with Iranian doctrine of leveraging camera compromise for post-attack battle damage assessment.

analyst note

Agrius attacks are deliberately designed to be misclassified as ransomware during initial triage. Organizations responding to what appears to be a ransomware incident against Israeli, UAE, or South African targets should treat the possibility of a state-directed wiper operation as a priority hypothesis — particularly if ransom demands appear but decryption is not offered or functional. Early containment decisions depend on correctly identifying the payload as destructive rather than extortion-motivated.

Target Profile

Agrius targets align with MOIS strategic interests — primarily causing economic damage and reputational harm to Israeli institutions, with secondary targeting of other regional adversaries and global organizations connected to Israeli industry.

Israeli higher education: Universities and research institutions targeted in the sustained 2023 campaign, with PII including student ID numbers, passport scans, and postal and email addresses exfiltrated and published publicly to maximize embarrassment and harm to individuals.
Israeli technology sector: IT consulting firms, software developers, and tech companies targeted for IP theft and destructive disruption. The Fantasy supply-chain attack began with the compromise of an Israeli IT support company.
Diamond and gem industry: The 2022 Fantasy supply-chain campaign specifically targeted organizations in the global diamond trade connected to Israel — affecting a South African diamond wholesaler, an Israeli diamond wholesaler, and a Hong Kong jeweler through a compromised Israeli software vendor serving the industry.
Israeli HR and consulting firms: HR organizations targeted in the February 2022 campaign period, likely for the employee PII and corporate data they hold across client organizations.
UAE targets: Early Agrius operations before the December 2020 pivot to Israel included targets in the UAE, consistent with Iranian targeting of Gulf state adversaries.
Critical infrastructure (emerging): Camera scanning activity during the June 2025 conflict, targeting energy, financial, government, and utilities sectors, signals Agrius's role in broader Iranian kinetic support operations.

Tactics, Techniques & Procedures

Documented TTPs based on SentinelOne, ESET, Palo Alto Unit 42, and Check Point reporting across the group's operational history through 2025.

mitre id	technique	description
T1190	Exploit Public-Facing Application	Primary initial access vector. Agrius exploits known vulnerabilities in internet-facing web servers — particularly one-day vulnerabilities in public-facing applications — to gain a foothold. The group routinely operates from commercial Israeli VPN infrastructure to blend with legitimate regional traffic and complicate attribution.
T1505.003	Server Software Component — Web Shell	ASP.NET and ASPX web shells deployed on compromised servers for persistent access and staging. The IPsec Helper backdoor and web shell variants were uploaded to VirusTotal from Iranian IP addresses — a key attribution data point. Web shells are used to tunnel RDP traffic and stage subsequent payloads.
T1021.001	Remote Services — RDP	RDP traffic tunneled through deployed web shells using legitimate compromised accounts for lateral movement. Combined with living-off-the-land binaries and publicly available offensive security tools for reconnaissance and continued traversal of the compromised environment.
T1003	OS Credential Dumping	Credential harvesting tools deployed during the lateral movement phase to acquire administrative credentials for deeper network access. Unit 42 documented credential harvesting in South Africa in February 2022 as preparatory work for the subsequent supply-chain wiper deployment in March.
T1041	Exfiltration Over C2 Channel	Data exfiltration using a mix of public tools (WinSCP, PuTTY) and custom tools (Sqlextractor — a bespoke tool for extracting data from database servers). PII and intellectual property exfiltrated before wiper deployment, then published on Telegram and social media for psychological operations effect.
T1485	Data Destruction	Core operational objective. Wiper payloads deployed after data exfiltration to destroy files, corrupt data with random bytes, wipe boot sectors, delete registry keys, clear Windows Event Logs, and render endpoints unrecoverable. The Fantasy wiper specifically overwrites all drives except the Windows folder, deletes registry keys in HKCR, clears event logs, blanks the SystemDrive folder, overwrites the MBR, deletes itself, and reboots — all within a defined execution window.
T1486	Data Encrypted for Impact	Early Apostle deployments displayed ransom notes and simulated ransomware behavior while actually destroying data — the encryption was cosmetic. Later versions of Apostle were rewritten into functional ransomware. Fantasy abandoned the ransomware disguise. This evolution reflects deliberate tactical iteration on the deception model.
T1195.002	Supply Chain Compromise — Compromise Software Supply Chain	The February–March 2022 Fantasy campaign abused an Israeli software developer's update mechanism to push Fantasy wiper to downstream customers — victims in Israel, South Africa, and Hong Kong who trusted the vendor's software updates. The campaign lasted under three hours from launch to ESET detection, indicating pre-positioned access.
T1562.001	Impair Defenses — Disable or Modify Tools	The 2023 wiper suite (MultiLayer, PartialWasher, BFG Agonizer) was specifically engineered to bypass EDR and security solutions. Unit 42 assessed that Agrius had significantly upgraded its capabilities and was investing substantial resources in EDR evasion techniques, representing a direct response to improved detection of earlier wiper variants.
T1583	Acquire Infrastructure	Agrius operates from commercial Israeli VPN infrastructure to blend initial access traffic with legitimate regional traffic. This infrastructure choice is consistent with the group's broader deception model — Israeli VPN exit nodes make scanning and exploitation traffic appear to originate from within the target country.

Known Campaigns

Confirmed or highly attributed operations linked to Agrius across its operational history.

Initial Middle East Wiper Campaign 2020

Agrius's earliest documented activity, targeting organizations in the Middle East including UAE targets, using DEADWOOD (Detbosit) — a wiper also used by other Iranian threat actors. Initial access via vulnerable web servers and ASPXSpy web shell deployment, followed by IPsec Helper backdoor installation. The group pivoted to a primary focus on Israeli targets from December 2020 onward.

Apostle Wiper Campaign — Israel 2020–2021

The campaign that led to Agrius's public identification by SentinelOne. The group deployed Apostle — a custom .NET wiper disguised with a ransom note — against Israeli targets. Early Apostle versions lacked functional decryption, confirming that destruction rather than extortion was the objective. The group also deployed DEADWOOD in some incidents. SentinelOne published attribution in May 2021, marking the first public naming of Agrius as a distinct threat cluster.

Fantasy Supply-Chain Attack — Diamond Industry 2022

Agrius's most operationally sophisticated campaign to date, documented by ESET. Beginning in February 2022, the group compromised a South African diamond industry organization to harvest credentials. On March 12, 2022, the group launched a supply-chain attack abusing an Israeli software developer's update mechanism to push the Fantasy wiper to downstream customers simultaneously in South Africa, Israel, and Hong Kong. Victims included an IT support firm, an Israeli diamond wholesaler, an HR consulting firm, a South African diamond industry organization, and a Hong Kong jeweler. The campaign lasted under three hours. Fantasy, deployed alongside the Sandals lateral movement tool, was built on Apostle's codebase but made no attempt to disguise itself as ransomware.

Moneybird Ransomware — Israeli Transportation 2023

Check Point documented Agrius deploying Moneybird, a previously unseen ransomware written in C++, against an Israeli logistics and transportation organization. Moneybird targeted files in a specific directory — departing from Agrius's typical full-disk wiper approach and suggesting continued experimentation with the ransomware-as-cover model. Attribution relied on infrastructure and web shell overlaps with prior Agrius campaigns.

Higher Education and Tech Sector Campaign 2023

A sustained campaign from January through October 2023 against Israeli universities and technology companies, documented by Palo Alto Networks Unit 42. The group exploited internet-facing web servers, deployed web shells, harvested credentials, exfiltrated PII (student ID numbers, passport scans, email and postal addresses) and intellectual property, published stolen data on Telegram, and then deployed three new EDR-bypass wipers: MultiLayer (.NET, file deletion and random-byte corruption with boot sector wipe), PartialWasher (C++, targeted folder wiping), and BFG Agonizer (based on open-source CRYLINE-v5.0). The campaign represented a significant capability upgrade, with evidence Agrius had invested heavily in defeating endpoint detection.

Israel-Iran Conflict Infrastructure Scanning 2025

During the 12-day Israel-Iran conflict in June 2025, Check Point Research observed Agrius-linked infrastructure actively scanning for vulnerable IP cameras (Hikvision and Dahua devices) across Israel, exploiting CVE-2017-7921, CVE-2023-6895, CVE-2021-36260, and other known vulnerabilities. The targeting is consistent with Iranian doctrine of compromising surveillance infrastructure for post-attack battle damage assessment and kinetic strike support. Active wiper campaigns were simultaneously reported against Israeli energy, financial, government, and utilities sectors.

Tools & Malware

Agrius maintains a continuously evolving custom toolchain, with new wiper variants introduced in each major campaign phase. Code overlap and shared self-deletion mechanisms (SelfDelete() function, remover.bat pattern) across all tools confirm a shared developer or development team.

Apostle: Agrius's founding custom wiper, written in .NET. Initially deployed with a ransomware facade — ransom note present but decryption non-functional. Subsequently rewritten into functional ransomware in later variants. The evolutionary arc of Apostle from pure wiper to ransomware-capable tool reflects deliberate iteration on the deception model.
Fantasy: Second-generation wiper built on Apostle's codebase, documented by ESET. Deployed via the Fantasy supply-chain attack in 2022. Unlike Apostle, Fantasy makes no attempt to simulate ransomware. On execution it overwrites all drives (except Windows folder), deletes HKCR registry keys, clears Windows Event Logs, blanks the SystemDrive folder, overwrites the MBR, self-deletes, and reboots — all within a scripted window.
Sandals: Lateral movement and Fantasy execution tool introduced alongside Fantasy in the 2022 supply-chain campaign. Used to connect remotely to systems and deploy the wiper payload.
MultiLayer: Third-generation .NET wiper introduced in the 2023 higher education campaign. Enumerates files for deletion or corruption with random bytes to resist recovery, then wipes the boot sector. Code overlaps with IPsec Helper and Fantasy confirm shared authorship.
PartialWasher: C++-based wiper from the 2023 campaign suite. Scans drives and wipes specified folders and subfolders. Compiled October 8, 2023; supports interactive command-line interface when called with argument 1. Contains typos in interface text suggesting non-native English authorship.
BFG Agonizer: Third wiper in the 2023 suite. Heavily based on the open-source CRYLINE-v5.0 project. All three 2023 wipers were engineered specifically to evade and bypass EDR solutions.
Moneybird: C++-based ransomware deployed in the 2023 Israeli transportation campaign. Targets files in specific directories rather than full-disk wiping — an operational departure from Agrius's typical approach.
IPsec Helper: Custom .NET backdoor used for persistent access, additional payload injection, and data removal. Shares SelfDelete() function naming and implementation with Apostle, Fantasy, and MultiLayer — confirming shared codebase.
Sqlextractor: Bespoke tool for extracting data from database servers, introduced in the 2023 campaign for targeted PII and IP collection prior to wiper deployment.
DEADWOOD (Detbosit): Third-party wiper used in early Agrius operations before the group developed its own custom toolchain. Also used by other Iranian threat actors, making early attribution less definitive.

Indicators of Compromise

Behavioral indicators from documented Agrius campaigns. Specific file hashes for individual wiper variants are available in the SentinelOne, ESET, and Unit 42 reports linked in the sources section.

warning

Agrius wiper payloads are specifically engineered to defeat EDR detection. Hash-based indicators from prior campaigns have limited value against new variants. Focus detection on behavioral patterns — particularly the pre-wiper data exfiltration phase and self-deletion artifact patterns — which are more consistent across the group's toolchain evolution.

behavioral indicators of compromise

file remover.bat written to %TEMP% directory — consistent self-deletion artifact across all Agrius wiper variants (Apostle, Fantasy, MultiLayer, IPsec Helper)

web shell ASP.NET / ASPX web shells in web-accessible directories of IIS servers, particularly following exploitation of public-facing web applications

network Outbound WinSCP or PuTTY connections transferring compressed archives containing database exports or PII — pre-wiper exfiltration phase

process .NET executable with SelfDelete() function deleting itself via batch file, followed by system reboot — terminal wiper execution sequence

registry Bulk deletion of HKCR (HKEY_CLASSES_ROOT) registry keys — Fantasy and related wipers delete registry hive contents during destruction phase

network RDP tunneling through ASPX web shells; lateral movement from compromised web server hosts to internal endpoints using acquired administrative credentials

tool Sqlextractor.exe — custom database extraction utility; not a commodity tool, presence is a high-fidelity Agrius indicator

Mitigation & Defense

Recommended defensive measures for organizations in Agrius's target profile — Israeli and regional organizations in education, technology, defense supply chain, and industrial sectors.

Treat suspected ransomware as potential wiper: Any ransomware incident against Israeli or regional targets should immediately trigger wiper-response protocols alongside standard ransomware containment. Do not assume decryption is available or that paying will restore data. Isolate affected systems immediately and prioritize forensic preservation before any remediation attempt.
Patch internet-facing applications aggressively: Agrius consistently enters via known vulnerabilities in public-facing web servers. Maintain a real-time inventory of internet-facing assets and treat one-day vulnerability patching as a priority for any externally accessible application. Web application firewall rules should be updated within hours of new CVE disclosures for public-facing server software.
Monitor for web shell deployment: Implement file integrity monitoring on all web server directories. Alert on creation of .aspx, .asp, or .php files in web-accessible paths outside of scheduled deployment windows. Web shells are Agrius's primary persistence mechanism and the most reliable early-warning indicator.
Protect backup integrity: Agrius destroys data — including boot sectors — to prevent recovery. Maintain offline, immutable backups for all critical systems. Test restoration procedures regularly. Backups accessible from the production network will be targeted and wiped alongside primary data.
Alert on bulk database access and exfiltration tools: The pre-wiper exfiltration phase using WinSCP, PuTTY, and Sqlextractor is a reliable pre-detonation detection window. Implement data loss prevention rules alerting on large outbound transfers, database dump creation, and the presence of non-standard database extraction utilities.
Monitor for RDP tunneling through web servers: Agrius tunnels RDP through deployed web shells for lateral movement. Alert on RDP connections originating from web server processes or IIS worker processes — this is not expected behavior in normal operations.
Harden EDR configurations: The 2023 wiper suite was specifically engineered to bypass EDR. Ensure EDR solutions are running in prevention mode rather than detection-only, apply tamper protection, and audit EDR coverage gaps regularly. Consider supplementing host-based detection with network-level behavioral analytics.
Secure software update mechanisms: The Fantasy supply-chain attack abused a software vendor's update mechanism. Organizations that distribute software to customers should apply code signing to update packages, implement integrity verification before update execution, and monitor update delivery infrastructure for unauthorized modifications.
Secure IP cameras and network devices: Given 2025 documentation of camera exploitation for battle damage assessment, audit and patch network-connected cameras — particularly Hikvision and Dahua devices — against CVE-2017-7921, CVE-2021-36260, CVE-2021-33044, and CVE-2023-6895. Segment camera networks from primary IT infrastructure.

note

Agrius activity escalates measurably during periods of heightened Israel-Iran tension. Organizations in the target profile should increase monitoring posture and accelerate patching cycles during geopolitical flashpoints — the group has been directly observed activating new scanning and attack infrastructure within hours of military escalation.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile