Agrius is an Iran-linked threat actor active since at least 2020 and primarily known for intrusions against organizations in Israel and elsewhere in the Middle East. The group is widely tracked under multiple aliases including Agonizing Serpens, Americium, BlackShadow, Deadwood, Justice Blade, Pink Sandstorm, SharpBoys, and Spectral Kitten. Microsoft has linked Agrius, under the Pink Sandstorm name, to Iran’s Ministry of Intelligence and Security (MOIS). Agrius is notable for combining espionage, disruptive intrusion activity, data theft, and destructive or coercive operations that often masquerade as ransomware. Agrius initially became known for targeting Israeli organizations through exploitation of public-facing applications, followed by deployment of web shells, credential theft, lateral movement, and selective persistence. The group has repeatedly used ASPXSpy-derived web shells for foothold establishment and follow-on command execution, and has tunneled Remote Desktop Protocol traffic through compromised systems to move interactively within victim environments. Reported tradecraft also includes use of publicly available offensive tooling, abuse of compromised accounts, and post-compromise deployment of custom malware. The actor is strongly associated with destructive malware and pseudo-ransomware operations. Agrius used the DEADWOOD wiper and later deployed Apostle, a custom .NET malware family that began as a wiper and was subsequently adapted into functioning ransomware. This evolution is widely assessed as a tactical disguise rather than evidence of purely financial motivation, with ransomware-style messaging used to obscure sabotage or punitive intent. Agrius has also been linked to Moneybird, a later ransomware family assessed to reflect continued tool development while preserving the group’s disruptive operational model. A key Agrius backdoor is IPsec Helper, a custom .NET implant used post-exploitation for persistence, follow-on payload delivery, and data theft. The malware has been reported as installed as a Windows service. Agrius has also been observed using Windows service creation or modification for persistence more broadly, and modifying security-tool-related services to impair defenses and prevent security products from restarting after reboot. Additional defense evasion has included attempts to disable or remove endpoint security software. Victimology centers heavily on Israeli entities, but operations have also affected other Middle Eastern targets, including organizations in the United Arab Emirates. Reported targeting has included universities, insurance, and other enterprise environments, with some operations assessed as aimed at critical or nationally significant organizations. Agrius has been described as a high-risk destructive operator because it combines enterprise intrusion capability with wiper deployment and fake-ransomware tradecraft. Operationally, Agrius commonly follows a sequence of initial access via internet-facing systems, web-shell deployment, credential access, internal reconnaissance, lateral movement, data collection from databases and critical servers, and then disruptive action through wiping or ransomware-like payloads. The group has also used Base64-encoded web-shell variants to reduce detection and has leveraged command interpreters extensively after compromise. Overall, Agrius is best characterized as an Iranian state-linked intrusion set focused on espionage-enabled disruption, destructive attacks, and coercive cyber operations, especially against Israeli targets. Its known aliases, evolving malware families, and blend of custom tooling with public offensive utilities make it a significant actor in the broader Iranian cyber ecosystem.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
50 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
25 malware families attributed to this actor across reporting.
20 additional families tracked in Mallory.
10 CVEs this actor has used in observed campaigns. 10 of them exploited in the wild.
Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices... APT29 has exploited ... CVE-2018-13379 for FortiGate VPNs... Dragonfly ... exploited ... CVE-2018-13379 for Fortinet VPNs... Magic Hound ... exploited ... Fortios SSL VPNs (CVE-2018-13379). Play ... including CVE-2018-13379 ... in FortiOS.
This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.
This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.
This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.
The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence... This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise.
5 more CVEs tied to this actor tracked in Mallory.
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.
Listed as an associated threat actor for exploitation activity related to abuse of the Windows Cloud Files API / cldapi.dll detection.
Destructive Iranian-linked operator using wipers disguised as ransomware to cause punitive or coercive disruption, especially against Israeli targets.
Listed as a threat actor associated with exploitation and privilege-escalation detection coverage for Windows admin password changes by non-admin users.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.