Home/ Threat Actors/ Agrius

🌐Agrius

🌐 Agrius is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 22 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1030) ↗

14Use cases

0Articles

22Techniques

0IOCs

About this actor (MITRE)

[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation: SentinelOne Agrius 2021)(Citation: CheckPoint Agrius 2023) Public reporting has linked [Agrius](https://attack.mitre.org/groups/G1030) to Iran's Ministry of Intelligence and Security (MOIS).(Citation: Microsoft Iran Cyber 2023)

Known aliases

AgriusPink SandstormAMERICIUMAgonizing SerpensBlackShadow

Top techniques

T1003.001 · LSASS Memory T1003.002 · Security Account Manager T1005 · Data from Local System

All other tracked techniques

T1018 · Remote System Discovery T1021.001 · Remote Desktop Protocol T1036 · Masquerading T1041 · Exfiltration Over C2 Channel T1046 · Network Service Discovery T1059.003 · Windows Command Shell T1074.001 · Local Data Staging T1078.002 · Domain Accounts T1110 · Brute Force T1110.003 · Password Spraying T1119 · Automated Collection T1140 · Deobfuscate/Decode Files or Information T1190 · Exploit Public-Facing Application T1505.003 · Web Shell T1543.003 · Windows Service T1560.001 · Archive via Utility T1570 · Lateral Tool Transfer T1583 · Acquire Infrastructure T1685 · Disable or Modify Tools

Detection use cases (14)

Agrius (Pink Sandstorm / Agonizing Serpens) ASPXSpy web shell — IIS w3wp.exe spawning recon shells after public-app exploit AI · profile S Agrius wiper service install — sc.exe creating service with binPath in ProgramData/Temp/Public (Apostle, DEADWOOD, MultiLayer, Moneybird, Bi AI · profile SΣ 1Password failed sign-in burst MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match Package-manager install hook spawns interpreter that beacons to non-registry host within 120s MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match