Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1133: Apostle

Apostle is malware that has functioned as both a wiper and, in more recent versions, as ransomware. Apostle is written in .NET and shares various programming and functional overlaps with IPsec Helper.[1]

EnterpriseS1133MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Apostle matters because it is Windows malware described by ATT&CK as having operated as both a wiper and later ransomware. That makes it a business-continuity concern, not just a malware-analysis item: the relevant defensive question is whether the organization can detect and respond before scheduled execution, log clearing, file deletion, encryption, wiping, or reboot activity turns into an availability incident.

Executive priority

Treat Apostle-like behavior as a test of destructive-malware and ransomware readiness on Windows. Leaders should ask whether critical Windows systems have resilient recovery options, whether SOC teams can see scheduled task abuse and Windows event log clearing, and whether incident responders have decision points for isolating hosts when impact behaviors such as data destruction, disk wipe, encryption, or reboot are observed. This object also supports audit and resilience discussions because the key evidence is operational: endpoint visibility, Windows logging, backup/recovery validation, and response authority.

Technical view

ATT&CK provides no official detection text for Apostle, so defenders should validate coverage through its related behaviors: Scheduled Task, Process Discovery, File Deletion, Deobfuscate/Decode Files or Information, Execution Guardrails, Data Destruction, Data Encrypted for Impact, System Shutdown/Reboot, Disk Content Wipe, and Clear Windows Event Logs. Because the software is described as .NET and Windows-based, prioritize Windows endpoint telemetry, task scheduler artifacts, process creation, file activity, event log modification/clearing, and impact-stage indicators such as abnormal encryption, wiping, deletion, or shutdown patterns. Use the IPsec Helper overlap noted by ATT&CK as threat-intelligence context, not as proof of detection or attribution.

Likely telemetry

  • Windows process creation and command-line telemetry
  • Windows Task Scheduler creation, modification, and execution artifacts
  • Endpoint file creation, deletion, overwrite, and mass-modification events
  • Windows Event Log clear events and gaps in expected logging
  • Signals of .NET execution where available from endpoint tooling

Detection direction

  • Validate alerting for suspicious scheduled task creation or execution, especially when followed by discovery, file changes, or impact behaviors.
  • Tune for sequences rather than single events: process discovery, decoding/deobfuscation activity, file deletion, log clearing, then encryption, wipe, or reboot is more meaningful than any one behavior alone.
  • Confirm whether Windows event logs are forwarded off-host quickly enough to preserve evidence if local logs are cleared.
  • Review false positives for administrative task scheduling, software deployment, cleanup scripts, maintenance reboots, and legitimate log management.
  • Because ATT&CK provides no Apostle-specific detection logic, base detections on the related techniques and local baselines rather than malware name matching alone.

Mitigation priorities

  • Prioritize tested, segregated backups and restore procedures for systems where data destruction or encryption would interrupt operations.
  • Harden and monitor Windows Task Scheduler usage, especially privileged task creation and unusual task names, paths, or execution contexts.
  • Restrict unnecessary administrative privileges that would enable log clearing, destructive file operations, disk wiping, or system reboot at scale.
  • Ensure endpoint protection and logging remain resilient during incident response, including off-host log collection for Windows event logs.
  • Prepare IR playbooks for destructive malware/ransomware decision points: isolate affected hosts, preserve evidence, assess scheduled tasks and persistence, and validate recovery before reconnecting systems.
Analyst notes and limits

The supplied ATT&CK object identifies Apostle as Windows malware written in .NET that has functioned as a wiper and ransomware, with functional overlap with IPsec Helper. The relationship set is especially useful because it maps the software to execution/persistence, discovery, stealth, defense-impairment, and impact behaviors. Defensive value comes from validating whether those behavior classes are observable and actionable in the local environment.

ATT&CK does not provide official detection guidance, aliases, labels, or explicit tactics on the malware object itself. Some related techniques list broader platforms, but the Apostle platform supplied here is Windows, so platform-specific conclusions should remain Windows-focused. Local telemetry, asset criticality, backup architecture, and incident history are required to assess actual exposure or coverage.

Official MITRE ATT&CK definition

Apostle

Apostle is malware that has functioned as both a wiper and, in more recent versions, as ransomware. Apostle is written in .NET and shares various programming and functional overlaps with IPsec Helper.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

10 rows
Domain ID Name Relationship / procedure
Enterprise T1685.005 Clear Windows Event Logs Sub-technique

Apostle will attempt to delete all event logs on a victim machine following file wipe activity.CitationSentinelOne Agrius 2021
Enterprise T1057 Process Discovery

Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files.CitationSentinelOne Agrius 2021
Enterprise T1529 System Shutdown/Reboot

Apostle reboots the victim machine following wiping and related activity.CitationSentinelOne Agrius 2021
Enterprise T1480 Execution Guardrails

Apostle's ransomware variant requires that a base64-encoded argument is passed when executed, that is used as the Public Key for subsequent encryption operations. If Apostle is executed without this argument, it automatically runs a self-delete function.CitationSentinelOne Agrius 2021
Enterprise T1053.005 Scheduled Task Sub-technique

Apostle achieves persistence by creating a scheduled task, such as MicrosoftCrashHandlerUAC.CitationSentinelOne Agrius 2021
Enterprise T1561.001 Disk Content Wipe Sub-technique

Apostle searches for files on available drives based on a list of extensions hard-coded into the sample for follow-on wipe activity.CitationSentinelOne Agrius 2021
Enterprise T1486 Data Encrypted for Impact

Apostle creates new, encrypted versions of files then deletes the originals, with the new filenames consisting of a random GUID and ".lock" for an extension.CitationSentinelOne Agrius 2021
Enterprise T1485 Data Destruction

Apostle initially masqueraded as ransomware but actual functionality is a data destruction tool, supported by an internal name linked to an early version, wiper-action. Apostle writes random data to original files after an encrypted copy is created, along with resizing the original file to zero and changing time property metadata before finally deleting the original file.CitationSentinelOne Agrius 2021
Enterprise T1070.004 File Deletion Sub-technique

Apostle writes batch scripts to disk, such as system.bat and remover.bat, that perform various anti-analysis and anti-forensic tasks, before finally deleting themselves at the end of execution. Apostle attempts to delete itself after encryption or wiping operations are complete and before shutting down the victim machine.CitationSentinelOne Agrius 2021
Enterprise T1140 Deobfuscate/Decode Files or Information

Apostle compiled code is obfuscated in an unspecified fashion prior to delivery to victims.CitationSentinelOne Agrius 2021
Associated objects

Groups, software, and campaigns

Group Enterprise

G1030: Agrius

Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.[1][2] Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).[3]

Relationship explorer

All related ATT&CK context

uses · Technique T1685.005: Clear Windows Event Logs Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1529: System Shutdown/Reboot Enterprise uses · Technique T1480: Execution Guardrails Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Group G1030: Agrius Enterprise uses · Technique T1561.001: Disk Content Wipe Enterprise uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Technique T1485: Data Destruction Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c6a298f3246072d7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c6a298f32460…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    SentinelOne Agrius 2021

    Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.

    Open source URL
  2. [2]
    mitre-attack S1133
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use