Agrius
Aliases: Pink Sandstorm, AMERICIUM, Agonizing Serpens, BlackShadow
Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets. Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).
Open interactive actor investigation
ATT&CK techniques
T1018
Remote System DiscoveryT1046
Network Service DiscoveryT1078.002
Domain AccountsT1562.001
Disable or Modify ToolsT1140
Deobfuscate/Decode Files or InformationT1505.003
Web ShellT1005
Data from Local SystemT1583
Acquire InfrastructureT1074.001
Local Data StagingT1110.003
Password SprayingT1119
Automated CollectionT1003.002
Security Account ManagerT1560.001
Archive via UtilityT1036
MasqueradingT1003.001
LSASS MemoryT1021.001
Remote Desktop ProtocolT1190
Exploit Public-Facing ApplicationT1110
Brute ForceT1059.003
Windows Command ShellT1543.003
Windows ServiceT1041
Exfiltration Over C2 ChannelT1570
Lateral Tool Transfer
Remote System DiscoveryT1046
Network Service DiscoveryT1078.002
Domain AccountsT1562.001
Disable or Modify ToolsT1140
Deobfuscate/Decode Files or InformationT1505.003
Web ShellT1005
Data from Local SystemT1583
Acquire InfrastructureT1074.001
Local Data StagingT1110.003
Password SprayingT1119
Automated CollectionT1003.002
Security Account ManagerT1560.001
Archive via UtilityT1036
MasqueradingT1003.001
LSASS MemoryT1021.001
Remote Desktop ProtocolT1190
Exploit Public-Facing ApplicationT1110
Brute ForceT1059.003
Windows Command ShellT1543.003
Windows ServiceT1041
Exfiltration Over C2 ChannelT1570
Lateral Tool Transfer
Correlated CTI and IR reports
Agrius G1030
MITRE ATT&CK · direct source mappingActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionDefensive CTI Research on Threats to Israeli Government and Public-Sector Environments
Israel Threat Actors CTI · explicit report mentionDefensive Cyber Threat Intelligence Report: Israeli Critical Infrastructure and Geopolitical Escalation (2024-2026)
Israel Threat Actors CTI · explicit report mentionIsrael Government Threat Actors CTI: Evidentiary Foundation Intake
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionIran Hezbollah behind Ziv Hospital cyber attack
Israel Hayom · downloaded report actor contextIranian Cyber Threats Target U.S. Critical Infrastructure
Anvilogic · downloaded report actor contextPre-positioned Access Cyber Threat Iran Conflict
Centripetal AI · downloaded report actor contextAgonizing Serpens Targets Israeli Higher Education and Tech Sectors
Unit 42 · actor contextFrom Wiper to Ransomware: The Evolution of Agrius
SentinelLabs · actor context
MITRE ATT&CK · direct source mappingActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionDefensive CTI Research on Threats to Israeli Government and Public-Sector Environments
Israel Threat Actors CTI · explicit report mentionDefensive Cyber Threat Intelligence Report: Israeli Critical Infrastructure and Geopolitical Escalation (2024-2026)
Israel Threat Actors CTI · explicit report mentionIsrael Government Threat Actors CTI: Evidentiary Foundation Intake
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionIran Hezbollah behind Ziv Hospital cyber attack
Israel Hayom · downloaded report actor contextIranian Cyber Threats Target U.S. Critical Infrastructure
Anvilogic · downloaded report actor contextPre-positioned Access Cyber Threat Iran Conflict
Centripetal AI · downloaded report actor contextAgonizing Serpens Targets Israeli Higher Education and Tech Sectors
Unit 42 · actor contextFrom Wiper to Ransomware: The Evolution of Agrius
SentinelLabs · actor context