S1136: BFG Agonizer
BFG Agonizer is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the Agrius threat actor.[1]
Analyst context for executives and security teams
BFG Agonizer is an ATT&CK-listed Windows wiper associated in MITRE reporting with Agrius wiping operations. Its business significance is availability and recovery risk: the related behaviors include disk-structure wiping, inhibiting recovery, shutdown/reboot activity, and host binary compromise. For leaders, this is less about routine malware cleanup and more about whether the organization can detect destructive preparation and prove systems and backups can be restored quickly.
Executive priority
Prioritize this as an operational resilience and incident readiness scenario. Executives should ask whether critical Windows assets have recoverable, tested backups; whether recovery mechanisms can be protected from tampering; and whether SOC and IR teams have playbooks for destructive malware where containment, preservation, and restoration decisions must happen quickly. This object also supports audit and compliance conversations around backup evidence, recovery testing, endpoint logging, and change control for critical binaries.
Technical view
ATT&CK does not provide a detection section for BFG Agonizer, so coverage should be validated through the mapped behaviors: T1490 Inhibit System Recovery, T1529 System Shutdown/Reboot, T1554 Compromise Host Software Binary, and T1561.002 Disk Structure Wipe. For the supplied software platform, focus validation on Windows endpoint visibility, especially events showing unusual modification of recovery features, unexpected shutdown or reboot activity, changes to trusted binaries, and low-level disk or boot-structure tampering indicators. IR teams should ensure destructive-malware triage distinguishes wiping activity from ordinary crashes, patch reboots, or administrative maintenance.
Likely telemetry
- Windows endpoint process execution and command-line telemetry
- File creation, modification, deletion, and integrity-monitoring data for host software binaries
- Disk, boot, partition, or volume modification indicators where collected by endpoint tooling
- Windows system event logs related to shutdowns, reboots, service failures, and abnormal restarts
- Backup, recovery, and system-restore configuration logs or administrative audit trails
Detection direction
- Build detections around behavior rather than the malware name alone, because ATT&CK provides no official detection logic for this object.
- Validate alerts for attempts to interfere with recovery capability and correlate them with endpoint process, file, and administrative activity.
- Monitor unexpected shutdown or reboot events in context, tuning out approved patching, maintenance windows, and administrator-initiated restarts.
- Use file integrity and endpoint telemetry to identify suspicious modification or replacement of host software binaries, while accounting for legitimate software updates.
- Prioritize high-confidence correlations involving recovery tampering plus disk-structure changes or abnormal reboot behavior, as these combinations are more material for wiper response.
Mitigation priorities
- Maintain tested, offline or otherwise protected backups for critical Windows systems and validate restoration procedures regularly.
- Restrict and monitor administrative privileges that can alter recovery settings, system binaries, shutdown behavior, or disk structures.
- Use change control and integrity monitoring for critical host binaries and recovery-related configurations.
- Prepare an incident response playbook for suspected wiping activity, including rapid isolation, evidence preservation, restoration decision points, and executive communications.
- Review logging retention and EDR coverage on business-critical Windows assets so destructive actions are observable before restoration overwrites evidence.
Analyst notes and limits
The object is a malware entry, not a technique, and its official ATT&CK description is brief. The strongest defensive value comes from its ATT&CK relationships to impact and persistence techniques. MITRE associates the malware with Agrius wiping operations and cites Unit42 reporting, but the supplied fields do not support claims about current activity, specific victim exposure, or guaranteed detection coverage.
Official ATT&CK detection guidance is not provided, tactics are not specified on the malware object, and the software platform supplied is Windows. Related techniques have their own broader platform metadata, but local platform applicability should be validated against the environment. Any concrete detection content requires organization-specific telemetry, baselines, and approved administrative activity context.
BFG Agonizer
BFG Agonizer is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the Agrius threat actor.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1529 | System Shutdown/Reboot | BFG Agonizer uses elevated privileges to call |
| Enterprise | T1554 | Compromise Host Software Binary | BFG Agonizer uses DLL unhooking to remove user mode inline hooks that security solutions often implement. BFG Agonizer also uses IAT unhooking to remove user-mode IAT hooks that security solutions also use.CitationUnit42 Agrius 2023 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | BFG Agonizer retrieves a device handle to |
| Enterprise | T1490 | Inhibit System Recovery | BFG Agonizer wipes the boot sector of infected machines to inhibit system recovery.CitationUnit42 Agrius 2023 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2b0b5cbab77f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit42 Agrius 2023
Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
Open source URL -
[2]
mitre-attack S1136Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.