{
	"id": "aacb4f55-101b-4f21-8371-85c23034af98",
	"created_at": "2026-04-06T00:10:50.568993Z",
	"updated_at": "2026-04-10T03:34:22.635487Z",
	"deleted_at": null,
	"sha1_hash": "30cbe119e0b42242bc9403e6f76566c6af76a26f",
	"title": "Iran-linked hackers attack Israeli education and tech organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78271,
	"plain_text": "Iran-linked hackers attack Israeli education and tech organizations\r\nBy Daryna Antoniuk\r\nPublished: 2023-11-06 · Archived: 2026-04-05 16:26:42 UTC\r\nHackers suspected of being tied to Iran’s government have been deploying new destructive malware against Israeli\r\norganizations, according to recent research.\r\nThe attacks, attributed to an Iranian state-backed hacker group known as Agonizing Serpens, are part of a broader\r\noffensive campaign targeting Israel during its war with the Palestinian militant group Hamas, according to U.S.\r\ncybersecurity firm Palo Alto Networks.\r\nThe company said on Monday it had blocked a series of destructive cyberattacks on Israel that began in January\r\nand continued at least until October of this year, with the hackers primarily targeting educational and technology\r\norganizations.\r\nThe group was going after sensitive data, such as personally identifiable information and intellectual property. The\r\nattackers shared stolen information, including passport scans, emails, and victims’ full addresses, on social media\r\nand Telegram channels, likely to sow fear or inflict reputational damage, according to the research.\r\nTo cover their tracks and cause even more disruption, the hackers deployed wipers — a type of malware designed\r\nto delete or wipe out data.\r\nResearchers have discovered three previously unknown wipers used in the latest attacks, including MultiLayer\r\nWiper, PartialWasher, and BFG Agonizer Wiper, as well as a custom tool to extract information from database\r\nservers known as Sqlextractor.\r\nSome of these tools have code similarities with other wipers previously used by Agonizing Serpens, while others\r\nwere brand new. The overlaps between the tools may indicate that they share a codebase or were written by the\r\nsame team of developers, according to the report.\r\nTo gain initial access to the victim's environment, the group exploited vulnerable internet-facing web servers. To\r\nobtain credentials of users with administrative privileges, the attackers tried multiple methods. For example, they\r\nused Mimikatz, an exploit on Microsoft Windows that extracts passwords stored in memory.\r\nResearchers said that Agonizing Serpens “is investing significant efforts and resources” trying to bypass security\r\nmeasures. This includes their practice of rotating between various known tools as well as custom-made tools.\r\nIranian hackers\r\nAgonizing Serpens, also known as Agrius and BlackShadow, has been active since 2020. The group is known for\r\nits destructive wiper and fake ransomware attacks. Earlier in May, the hackers used a new ransomware strain\r\nhttps://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors\r\nPage 1 of 3\n\ncalled Moneybird in its attacks against Israeli organizations.\r\nIn the most recent attacks, the attackers did not demand a ransom; instead, the potential outcome of the attacks\r\nwas significant data loss and disruptions to business continuity, researchers said.\r\nIsrael has been an attractive target for Iranian hackers recently. In late October, researchers detected a cyberattack\r\non at least two Israeli entities by a long-running group connected to the Iranian government called MuddyWater.\r\nIsrael’s cyber defense chief told CNN that he’s “very concerned” that Iran could escalate its cyberattacks on the\r\ncountry’s infrastructure amid the Israeli-Palestinian war.\r\nIran, whose support for Hamas is driven by shared anti-Israel and anti-Western sentiments, can use cyberattacks to\r\nproject power, as it can act more freely in cyberspace than in physical space, according to Gaby Portnoy, the head\r\nof the Israel National Cyber Directorate.\r\nSo far, suspected Iranian cyberattacks appear to have had minimal impact on their publicly claimed targets in\r\nIsrael, according to Portnoy.\r\nPortnoy said they want to keep cyberspace from becoming “another front” in the war with Hamas.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors\r\nPage 2 of 3\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors\r\nhttps://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors"
	],
	"report_names": [
		"iran-linked-hackers-target-israel-education-tech-sectors"
	],
	"threat_actors": [
		{
			"id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b",
			"created_at": "2022-10-25T15:50:23.308924Z",
			"updated_at": "2026-04-10T02:00:05.298591Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"MuddyWater",
				"Earth Vetala",
				"Static Kitten",
				"Seedworm",
				"TEMP.Zagros",
				"Mango Sandstorm",
				"TA450"
			],
			"source_name": "MITRE:MuddyWater",
			"tools": [
				"STARWHALE",
				"POWERSTATS",
				"Out1",
				"PowerSploit",
				"Small Sieve",
				"Mori",
				"Mimikatz",
				"LaZagne",
				"PowGoop",
				"CrackMapExec",
				"ConnectWise",
				"SHARPSTATS",
				"RemoteUtilities",
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ed8d590-defa-4873-b2de-b75c9b30931e",
			"created_at": "2023-01-06T13:46:38.730137Z",
			"updated_at": "2026-04-10T02:00:03.08136Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"TEMP.Zagros",
				"Seedworm",
				"COBALT ULSTER",
				"G0069",
				"ATK51",
				"Mango Sandstorm",
				"TA450",
				"Static Kitten",
				"Boggy Serpens",
				"Earth Vetala"
			],
			"source_name": "MISPGALAXY:MuddyWater",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "21e01940-3851-417f-9e90-1a4a2da07033",
			"created_at": "2022-10-25T16:07:23.299369Z",
			"updated_at": "2026-04-10T02:00:04.527895Z",
			"deleted_at": null,
			"main_name": "Agrius",
			"aliases": [
				"AMERICIUM",
				"Agonizing Serpens",
				"BlackShadow",
				"DEV-0227",
				"Pink Sandstorm",
				"SharpBoys",
				"Spectral Kitten"
			],
			"source_name": "ETDA:Agrius",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agrius",
				"BFG Agonizer",
				"BFG Agonizer Wiper",
				"DEADWOOD",
				"DETBOSIT",
				"Detbosit",
				"IPsec Helper",
				"Moneybird",
				"MultiLayer Wiper",
				"PW",
				"PartialWasher",
				"PartialWasher Wiper",
				"SQLShred",
				"Sqlextractor"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e",
			"created_at": "2025-08-07T02:03:24.783147Z",
			"updated_at": "2026-04-10T02:00:03.664754Z",
			"deleted_at": null,
			"main_name": "COBALT SHADOW",
			"aliases": [
				"AMERICIUM ",
				"Agonizing Serpens ",
				"Agrius",
				"Agrius ",
				"BlackShadow",
				"DEV-0227 ",
				"Justice Blade ",
				"Malek Team",
				"Malek Team ",
				"MoneyBird ",
				"Pink Sandstorm ",
				"Sharp Boyz ",
				"Spectral Kitten "
			],
			"source_name": "Secureworks:COBALT SHADOW",
			"tools": [
				"Apostle",
				"DEADWOOD",
				"Fantasy wiper",
				"IPsec Helper",
				"MiniDump",
				"Moneybird ransomware",
				"Sandals",
				"SecretsDump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4023e661-f566-4b5b-a06f-9d370403f074",
			"created_at": "2024-02-02T02:00:04.064685Z",
			"updated_at": "2026-04-10T02:00:03.547155Z",
			"deleted_at": null,
			"main_name": "Pink Sandstorm",
			"aliases": [
				"AMERICIUM",
				"BlackShadow",
				"DEV-0022",
				"Agrius",
				"Agonizing Serpens",
				"UNC2428",
				"Black Shadow",
				"SPECTRAL KITTEN"
			],
			"source_name": "MISPGALAXY:Pink Sandstorm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7d982d5b-3428-483c-8804-c3ab774f1861",
			"created_at": "2024-11-01T02:00:52.70975Z",
			"updated_at": "2026-04-10T02:00:05.357255Z",
			"deleted_at": null,
			"main_name": "Agrius",
			"aliases": [
				"Agrius",
				"Pink Sandstorm",
				"AMERICIUM",
				"Agonizing Serpens",
				"BlackShadow"
			],
			"source_name": "MITRE:Agrius",
			"tools": [
				"NBTscan",
				"Mimikatz",
				"IPsec Helper",
				"Moneybird",
				"MultiLayer Wiper",
				"DEADWOOD",
				"BFG Agonizer",
				"ASPXSpy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb",
			"created_at": "2022-10-25T16:07:23.880522Z",
			"updated_at": "2026-04-10T02:00:04.775749Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"ATK 51",
				"Boggy Serpens",
				"Cobalt Ulster",
				"G0069",
				"ITG17",
				"Mango Sandstorm",
				"MuddyWater",
				"Operation BlackWater",
				"Operation Earth Vetala",
				"Operation Quicksand",
				"Seedworm",
				"Static Kitten",
				"T-APT-14",
				"TA450",
				"TEMP.Zagros",
				"Yellow Nix"
			],
			"source_name": "ETDA:MuddyWater",
			"tools": [
				"Agentemis",
				"BugSleep",
				"CLOUDSTATS",
				"ChromeCookiesView",
				"Cobalt Strike",
				"CobaltStrike",
				"CrackMapExec",
				"DCHSpy",
				"DELPHSTATS",
				"EmPyre",
				"EmpireProject",
				"FruityC2",
				"Koadic",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"MZCookiesView",
				"Meterpreter",
				"Mimikatz",
				"MuddyC2Go",
				"MuddyRot",
				"Mudwater",
				"POWERSTATS",
				"PRB-Backdoor",
				"PhonyC2",
				"PowGoop",
				"PowerShell Empire",
				"PowerSploit",
				"Powermud",
				"QUADAGENT",
				"SHARPSTATS",
				"SSF",
				"Secure Socket Funneling",
				"Shootback",
				"Smbmap",
				"Valyria",
				"chrome-passwords",
				"cobeacon",
				"prb_backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434250,
	"ts_updated_at": 1775792062,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/30cbe119e0b42242bc9403e6f76566c6af76a26f.pdf",
		"text": "https://archive.orkl.eu/30cbe119e0b42242bc9403e6f76566c6af76a26f.txt",
		"img": "https://archive.orkl.eu/30cbe119e0b42242bc9403e6f76566c6af76a26f.jpg"
	}
}