G1030: Agrius
Analyst context for executives and security teams
Agrius matters because ATT&CK links the group to ransomware and wiper operations, where the business issue is not only data theft but operational disruption and recovery readiness. The supplied relationships show a pattern that defenders should treat as credential-driven intrusion activity followed by discovery, lateral movement, collection, possible exfiltration, and destructive or extortion malware on Windows-related tooling.
Executive priority
Prioritize Agrius as a resilience and incident-readiness planning scenario, especially for organizations with Middle East or Israeli exposure noted in public reporting. Leaders should ask whether identity controls, backup recovery, endpoint visibility, and destructive-malware response playbooks are tested together, not separately. The decision value is determining whether the organization can detect credential theft and lateral movement early enough to prevent ransomware or wiper-stage impact, and whether audit evidence exists for privileged access control, logging, and recovery testing.
Technical view
ATT&CK provides no group-level detection text or group platforms, so validation should be relationship-driven. The related software and techniques point to Windows-heavy activity including Mimikatz, ASPXSpy, IPsec Helper, Apostle, DEADWOOD, MultiLayer Wiper, BFG Agonizer, and Moneybird, plus credential access against LSASS and SAM, password spraying/brute force, domain account abuse, RDP lateral movement, command shell execution, discovery, local staging, exfiltration over C2, masquerading, and deobfuscation. SOC and IR teams should validate visibility across credential access, remote logons, web shell indicators, internal scanning, suspicious command execution, data staging, and destructive file activity.
Likely telemetry
- Windows endpoint process creation and command-line logs, especially cmd.exe, credential-dumping tools, suspicious .NET/C++ executables, and renamed or masqueraded binaries
- Windows security events for privileged logons, domain account use, failed authentication patterns, password spraying, RDP sessions, and lateral movement
- EDR memory-access telemetry for LSASS and registry/SAM access where available
- Web server logs and file integrity evidence relevant to ASPX web shells
- Network telemetry for internal host and service discovery, unusual SMB/RDP activity, and possible C2/exfiltration channels
Detection direction
- Map detections to the related techniques rather than relying on a single Agrius indicator set, because the supplied ATT&CK object has no official detection section.
- Correlate credential-access signals with later RDP, domain account use, discovery, and data staging; isolated alerts may look administrative, but the sequence is higher risk.
- Tune password spraying and brute-force analytics to account for low-and-slow attempts across many accounts and identity providers where telemetry exists.
- Hunt for web shell behavior on Windows web servers, including unusual ASPX files, abnormal child processes, and unexpected outbound connections.
- Validate destructive-malware detections through behavior such as mass file overwrite/deletion, anomalous compilation or metadata where observable, and ransom-note creation, while avoiding assumptions that every ransomware alert is Agrius-related.
Mitigation priorities
- Start with identity hardening: enforce strong authentication, reduce standing domain privileges, monitor privileged accounts, and address password spraying exposure.
- Protect credential material on Windows systems by limiting administrative access, hardening LSASS-related protections where applicable, and monitoring SAM/credential access attempts.
- Restrict and monitor RDP and other remote administration paths, especially between user workstations and servers.
- Harden internet-facing web applications and servers against web shell persistence, and maintain file integrity and web log review procedures.
- Segment networks and limit lateral movement paths so discovery and remote access do not easily reach critical systems.
Analyst notes and limits
Aliases supplied for this group include Agrius, Pink Sandstorm, AMERICIUM, Agonizing Serpens, and BlackShadow. Public reporting cited by ATT&CK links the group to Iran’s Ministry of Intelligence and Security and describes ransomware and wiper operations with emphasis on Israeli targets. The relationship set is especially useful for defenders because it connects the group to credential dumping, password attacks, domain account abuse, RDP, collection, exfiltration, and multiple wiper/ransomware malware families.
ATT&CK does not provide group-level platforms, tactics, labels, or official detection guidance for this object. Platform and tactic references in this take are derived only from the supplied related software and technique records, many of which are broader ATT&CK technique descriptions rather than Agrius-specific observations. Local exposure, telemetry quality, and control effectiveness must be validated in the organization’s own environment.
Agrius
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1018 | Remote System Discovery | |
| Enterprise | T1685 | Disable or Modify Tools | Agrius used several mechanisms to try to disable security tools. Agrius attempted to modify EDR-related services to disable auto-start on system reboot. Agrius used a publicly available driver, |
| Enterprise | T1046 | Network Service Discovery | Agrius used the open-source port scanner |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Agrius attempted to acquire valid credentials for victim environments through various means to enable follow-on lateral movement.CitationUnit42 Agrius 2023 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1505.003 | Web Shell Sub-technique | |
| Enterprise | T1005 | Data from Local System | Agrius gathered data from database and other critical servers in victim environments, then used wiping mechanisms as an anti-analysis and anti-forensics mechanism.CitationUnit42 Agrius 2023 |
| Enterprise | T1583 | Acquire Infrastructure | Agrius typically uses commercial VPN services for anonymizing last-hop traffic to victim networks, such as ProtonVPN.CitationSentinelOne Agrius 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Agrius has used the folder, |
| Enterprise | T1110.003 | Password Spraying Sub-technique | Agrius engaged in password spraying via SMB in victim environments.CitationUnit42 Agrius 2023 |
| Enterprise | T1119 | Automated Collection | Agrius used a custom tool, |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Agrius dumped the SAM file on victim machines to capture credentials.CitationUnit42 Agrius 2023 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Agrius used 7zip to archive extracted data in preparation for exfiltration.CitationUnit42 Agrius 2023 |
| Enterprise | T1036 | Masquerading | Agrius used the Plink tool for tunneling and connections to remote machines, renaming it |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | |
| Enterprise | T1190 | Exploit Public-Facing Application | Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices and SQL injection activity.CitationSentinelOne Agrius 2021 |
| Enterprise | T1110 | Brute Force | Agrius engaged in various brute forcing activities via SMB in victim environments.CitationUnit42 Agrius 2023 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1543.003 | Windows Service Sub-technique | Agrius has deployed IPsec Helper malware post-exploitation and registered it as a service for persistence.CitationSentinelOne Agrius 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers.CitationUnit42 Agrius 2023 |
| Enterprise | T1570 | Lateral Tool Transfer | Agrius downloaded some payloads for follow-on execution from legitimate filesharing services such as |
Groups, software, and campaigns
S0590: NBTscan
S0002: Mimikatz
S1132: IPsec Helper
IPsec Helper is a post-exploitation remote access tool linked to Agrius operations. This malware shares significant programming and functional overlaps with Apostle ransomware, also linked to Agrius. IPsec Helper provides basic remote access tool functionality such as uploading files from victim systems, running commands, and deploying additional payloads.[1]
S1137: Moneybird
S1135: MultiLayer Wiper
MultiLayer Wiper is wiper malware written in .NET associated with Agrius operations. Observed samples of MultiLayer Wiper have an anomalous, future compilation date suggesting possible metadata manipulation.[1]
S1134: DEADWOOD
S1136: BFG Agonizer
BFG Agonizer is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the Agrius threat actor.[1]
S0073: ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]
S1133: Apostle
Apostle is malware that has functioned as both a wiper and, in more recent versions, as ransomware. Apostle is written in .NET and shares various programming and functional overlaps with IPsec Helper.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c9d623aad68f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne Agrius 2021
Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
Open source URL -
[2]
CheckPoint Agrius 2023
Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024.
Open source URL -
[3]
Microsoft Iran Cyber 2023
Microsoft Threat Intelligence. (2023, May 2). Iran turning to cyber-enabled influence operations for greater effect. Retrieved May 21, 2024.
Open source URL -
[4]
AMERICIUM
(Citation: Microsoft Threat Actor Naming July 2023)
-
[5]
Agonizing Serpens
(Citation: Unit42 Agrius 2023)
-
[6]
BlackShadow
(Citation: CheckPoint Agrius 2023)
-
[7]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[8]
Pink Sandstorm
(Citation: Microsoft Threat Actor Naming July 2023)
-
[9]
Unit42 Agrius 2023
Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
Open source URL -
[10]
mitre-attack G1030Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.