>samit_hota
Back to adversary profiles
G1030HighActive

Agrius (G1030): Iran's Destructive Cyber Arm Targeting Israel

Samit Hota·
Suspected Origin
Iran
Motivation
Sabotage, Destruction, Information Theft, Espionage, Reputational Damage, Political
Aliases
Pink Sandstorm, AMERICIUM, Agonizing Serpens, BlackShadow
Target Sectors
Government, Technology, Higher Education, Insurance, Transportation, IT Services, Critical Infrastructure, Defense, Energy, Diamond Industry
Associated Malware
Apostle, DEADWOOD, BFG Agonizer, MultiLayer, PartialWasher, Fantasy, Moneybird, IPsec Helper, ASPXSpy, Sqlextractor
#threat-actor#g1030

Overview

Agrius (G1030), also known by aliases such as Pink Sandstorm, AMERICIUM, Agonizing Serpens, and BlackShadow, is a highly aggressive Iranian threat actor that has been active since at least 2020. Public reporting consistently links Agrius to Iran’s Ministry of Intelligence and Security (MOIS), operating as a state-sponsored or state-affiliated entity within Iran’s diverse cyber ecosystem.

This group is primarily motivated by sabotage and destruction, often disguised under the pretense of financially motivated ransomware operations. Their typical modus operandi involves a two-pronged approach: initially exfiltrating sensitive information, including personally identifiable information (PII) and intellectual property, and subsequently deploying destructive wiper malware to cover their tracks and inflict widespread data loss and operational disruption. The intent behind publishing stolen data on social media platforms is to sow fear and damage the reputation of their targets. Agrius’s activities are deeply intertwined with the broader geopolitical conflict in the Middle East, often perceived as a component of the clandestine cyber warfare between Iran and Israel. While their primary focus remains Israeli organizations, their operations have occasionally been observed with broader regional and, in some cases, global reach.

Tactics & Techniques

Agrius employs a range of sophisticated tactics, techniques, and procedures (TTPs), often beginning with initial access through the exploitation of publicly accessible vulnerabilities in internet-facing web applications. Common initial access vectors include exploiting vulnerabilities in devices like FortiOS (e.g., CVE-2018-13379) and leveraging SQL injection flaws. They utilize VPN services, notably ProtonVPN, for anonymization during their operations.

Once initial access is established, Agrius deploys web shells, frequently variations of ASPXSpy, to maintain persistent access and enable follow-on command execution. For further persistence, they have been observed deploying custom malware like IPsec Helper and registering it as a service.

Credential access is a critical phase for Agrius, often involving tools such as Mimikatz to dump credentials from LSASS memory or dumping the Security Account Manager (SAM) file. They also engage in password spraying tactics via SMB to gain access to victim accounts. For network discovery, Agrius utilizes tools like NBTscan and WinEggDrop to map out victim networks and identify accessible hosts.

Lateral movement is achieved by tunneling RDP traffic through deployed web shells and leveraging compromised accounts. The Plink tool has also been used for tunneling RDP connections, sometimes renamed systems.exe to blend in.

For data exfiltration, Agrius typically stages data, often in C:\windows\temp\s\, and then uses archiving tools like 7zip before exfiltrating it with utilities such as Putty and WinSCP. They have a custom tool, Sqlextractor (binary sql.net4.exe), specifically designed to query SQL databases and extract sensitive PII.

Defense evasion is a significant focus for Agrius, with observed attempts to disable security tools and deploy base64-encoded web shells to bypass detection. In more recent campaigns, they have shown increased efforts to bypass Endpoint Detection and Response (EDR) solutions, including manipulating service auto-start functionalities and employing “bring your own vulnerable driver” (BYOVD) techniques. They also employ anti-forensic techniques like timestomping, modifying file timestamps to dates such as January 1, 1601, or January 1, 1980, to impede forensic analysis. Agrius also leverages legitimate file-sharing services (e.g., ufile.io, easyupload.io) for payload delivery, further complicating detection.

Notable Campaigns

Agrius first emerged in 2020, focusing on destructive operations against Israeli targets. One of their earliest high-profile campaigns, often attributed to their alias BlackShadow, began in December 2020. This involved extortion attacks against Israeli organizations, including the Shirbit insurance company. These incidents often started as hack-and-leak operations rather than traditional ransomware, with the group contacting journalists and media outlets to publicize stolen data and exert pressure, indicating a political motivation beyond financial gain.

In November 2021, the BlackShadow alias was responsible for a significant attack on the Israeli web hosting provider Cyberserve. This operation resulted in the theft of customer databases and disruption of services, with the group demanding a $1 million cryptocurrency ransom. Data from organizations like Kavim (public transportation), Pegasus (tour booking), and the Israeli Children’s Museum were subsequently leaked.

February 2022 saw Agrius deploy a new data wiper, Fantasy, via a supply-chain attack that compromised an Israeli software vendor. This campaign affected an HR and IT consulting firm, a diamond wholesaler, and jewelry vendors across Israel, South Africa, and Hong Kong.

In May 2023, Agrius deployed the Moneybird ransomware strain in targeted attacks against Israeli organizations. This period also encompassed a series of destructive cyberattacks from January to October 2023, specifically targeting Israeli higher education and technology sectors. During these campaigns, Agrius engaged in stealing sensitive data like PII and intellectual property, followed by the deployment of newly identified wipers such as MultiLayer, PartialWasher, and BFG Agonizer, alongside their custom Sqlextractor tool. These attacks notably emphasized data destruction and disruption over ransom payment, further solidifying their primary motivation for sabotage.

Associated Malware & Tools

Agrius has developed and continuously refined a distinctive set of custom malware and routinely integrates publicly available offensive security tools. Key malware and custom tools include:

  • Wipers: Agrius is notorious for its destructive wipers, which are frequently disguised as ransomware. These include Apostle, a custom .NET wiper that evolved to incorporate ransomware functionalities; DEADWOOD (also known as Detbosit), another wiper with suspected Iranian links; BFG Agonizer Wiper, MultiLayer Wiper, and PartialWasher Wiper, all of which are designed for extensive data destruction and system incapacitation; and Fantasy, a newer data wiper deployed through supply-chain attacks.
  • Ransomware: While often a smokescreen for wiping, Agrius has used actual ransomware strains, most notably Moneybird, in attacks against Israeli entities.
  • Web Shells: The group heavily relies on variants of ASPXSpy web shells for persistent access and remote command execution post-exploitation.
  • Backdoors/RATs: IPsec Helper is a custom .NET backdoor exclusive to Agrius, which they register as a service for persistence and use for data exfiltration or deploying additional malware.
  • Data Exfiltration/Extraction Tools: Sqlextractor (binary sql.net4.exe) is a custom tool specifically designed to query SQL databases and extract sensitive PII.
  • Commodity/Open-Source Tools: Agrius incorporates common offensive tools such as Mimikatz for credential harvesting, Plink (often renamed systems.exe) for RDP tunneling, NBTscan and WinEggDrop for network reconnaissance, 7zip for data archiving, and Putty and WinSCP for data exfiltration. They have also demonstrated the use of AI, specifically ChatGPT, to refine their database destruction scripts.

Current Status

Agrius remains an active and evolving threat actor. Public reporting from May 2026 continues to associate infrastructure and tactics with the Black Shadow alias of Agrius, targeting organizations in the U.S., Israel, Saudi Arabia, and Turkey with destructive and data exfiltration operations. This indicates their ongoing operational tempo and a potential expansion of their target regions beyond their historical emphasis on Israel.

Notably, as of November 2023, security researchers observed that the Agrius group was actively upgrading its capabilities, investing significant resources into bypassing EDR and other security measures. This includes rotating between known proof-of-concept (PoC) and pentesting tools, as well as developing new custom tools. The continued mention of Agrius in recent threat intelligence reports, with the latest update on their threat group card as of June 28, 2025, underscores their persistent activity and ongoing monitoring by the cybersecurity community. The group’s consistent deployment of destructive malware, coupled with their adaptive tactics, confirms that Agrius continues to pose a high threat, particularly to their primary targets in Israel and the wider Middle East.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call