Agrius
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:14
- Updated at
- 27/03/2026 01:14
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 50 attack patterns (mitre), 11 malware, 4 sectors, 4 countries, 22 indicators, 2 tool
Aliases
Pink Sandstorm AMERICIUM BlackShadow Agonizing Serpens
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (50)
Malware (11)
-
Impacket usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Fantasy wiper usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Wiper usesFamily The MITRE Corporation Confidence 100
[Wiper](https://attack.mitre.org/software/S0041) is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Moneybird usesFamily The MITRE Corporation Confidence 100
[Moneybird](https://attack.mitre.org/software/S1137) is a ransomware variant written in C++ associated with [Agrius](https://attack.mitre.org/groups/G1030) operations. The name "Moneybird" is contained in the malware's ransom note and as strings in the executable.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ASPXSpy usesFamily The MITRE Corporation Confidence 100
[ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. It has been modified by [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors to create the ASPXTool version. (Citation: Dell TG-3390)
First seen 01/01/1970 · Last seen 16/11/5138 · -
DEADWOOD usesFamily The MITRE Corporation Confidence 100
[DEADWOOD](https://attack.mitre.org/software/S1134) is wiper malware written in C++ using Boost libraries. [DEADWOOD](https://attack.mitre.org/software/S1134) was first observed in an unattributed wiping event in Saudi Arabia in 2019, and has since been…
First seen 01/01/1970 · Last seen 16/11/5138 · -
IPsec Helper usesFamily The MITRE Corporation Confidence 100
[IPsec Helper](https://attack.mitre.org/software/S1132) is a post-exploitation remote access tool linked to [Agrius](https://attack.mitre.org/groups/G1030) operations. This malware shares significant programming and functional overlaps with [Apostle](https://attack.mitre.org/software/S1133) ransomware, also linked to [Agrius](https://attack.mitre.org/groups/G1030). [IPsec…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BFG Agonizer usesFamily The MITRE Corporation Confidence 100
[BFG Agonizer](https://attack.mitre.org/software/S1136) is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the [Agrius](https://attack.mitre.org/groups/G1030) threat actor.(Citation: Unit42 Agrius 2023)
First seen 01/01/1970 · Last seen 16/11/5138 · -
MultiLayer Wiper usesFamily The MITRE Corporation Confidence 100
[MultiLayer Wiper](https://attack.mitre.org/software/S1135) is wiper malware written in .NET associated with [Agrius](https://attack.mitre.org/groups/G1030) operations. Observed samples of [MultiLayer Wiper](https://attack.mitre.org/software/S1135) have an anomalous, future compilation date suggesting possible metadata manipulation.(Citation: Unit42…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Apostle usesFamily The MITRE Corporation Confidence 100
[Apostle](https://attack.mitre.org/software/S1133) is malware that has functioned as both a wiper and, in more recent versions, as ransomware. [Apostle](https://attack.mitre.org/software/S1133) is written in .NET and shares various programming and functional…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Sandals usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (4)
-
Education targets
-
Universities targets
-
Technology targets
-
Consulting targets
Countries (4)
-
Hong Kong targets
-
United Arab Emirates targets
-
Israel targets
-
South Africa targets
Indicators (22)
-
stix 100/100 Revoked
mpress_2_xx_x64
· Valid until 08/02/2025 · Source: AlienVault -
stix 100/100 Revoked· Valid until 08/02/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 08/02/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 08/02/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 08/02/2025 · Source: AlienVault
-
stix 100/100 Revoked
research_pe_signed_outside_timestamp
· Valid until 08/02/2025 · Source: AlienVault -
stix 100/100 Revoked
TEL:Hacktool:Win32/Kingron.A
· Valid until 08/02/2025 · Source: AlienVault -
stix 100/100 Revoked· Valid until 08/02/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 08/02/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 08/02/2025 · Source: AlienVault
Tool (2)
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
NBTscan usesThe MITRE Corporation Confidence 100
[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June…