Threat Group Cards: A Threat Actor Encyclopedia

APT group: Agrius

Names	Agrius (SentinelLabs) DEV-0227 (Microsoft) BlackShadow (Kaspersky)
Country	Iran
Motivation	Information theft and espionage, Sabotage and destruction
First seen	2020
Description	(SentinelLabs) A new threat actor SentinelLabs track as Agrius was observed operating in Israel beginning in 2020. An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets. The operators behind the attacks intentionally masked their activity as ransomware attacks.
Observed	Countries: Hong Kong, Israel, South Africa.
Tools used	Apostle, ASPXSpy, DEADWOOD, Fantasy, IPsec Helper.
Operations performed	Feb 2022	Fantasy – a new Agrius wiper deployed through a supply‑chain attack <https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/>
Information	<https://assets.sentinelone.com/sentinellabs/evol-agrius>

Last change to this card: 01 January 2023

Download this actor card in PDF or JSON format

Previous: Aggah
Next: Allanite