ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Agrius

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Agrius

NamesAgrius (SentinelLabs)
DEV-0227 (Microsoft)
BlackShadow (Kaspersky)
SharpBoys (?)
AMERICIUM (Microsoft)
Pink Sandstorm (Microsoft)
Agonizing Serpens (Palo Alto)
CountryIran Iran
MotivationInformation theft and espionage, Sabotage and destruction
First seen2020
Description(SentinelLabs) A new threat actor SentinelLabs track as Agrius was observed operating in Israel beginning in 2020. An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets. The operators behind the attacks intentionally masked their activity as ransomware attacks.
ObservedCountries: Hong Kong, Israel, South Africa.
Tools usedApostle, ASPXSpy, BFG Agonizer Wiper, DEADWOOD, Fantasy, IPsec Helper, Moneybird, MultiLayer Wiper, PartialWasher Wiper, Sqlextractor.
Operations performedFeb 2022Fantasy – a new Agrius wiper deployed through a supply‑chain attack
May 2023Agrius Deploys Moneybird in Targeted Attacks Against Israeli Organizations

Last change to this card: 29 November 2023

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]