{ "id": "8eaf5fa7-5b4e-4a7d-a6fc-4d4728fdcda5", "created_at": "2026-04-06T00:10:52.039138Z", "updated_at": "2026-04-10T13:11:20.664047Z", "deleted_at": null, "sha1_hash": "390434dfaf40212d3bb4503e8ebc3e916ac522c4", "title": "New Version Of Apostle Ransomware Reemerges In Targeted Attack On Higher Education", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2605391, "plain_text": "New Version Of Apostle Ransomware Reemerges In Targeted\r\nAttack On Higher Education\r\nBy Amitai Ben Shushan Ehrlich\r\nPublished: 2021-09-30 · Archived: 2026-04-05 23:35:34 UTC\r\nSentinelLabs has been tracking the activity of Agrius, a suspected Iranian threat actor operating in the Middle\r\nEast, throughout 2020 and 2021 following a set of destructive attacks starting December 2020. Since we last\r\nreported on this threat actor in May 2020, Agrius lowered its profile and was not observed conducting destructive\r\nactivity. This changed recently as the threat actor likely initiated a ransomware attack on the Israeli university Bar-Ilan utilizing the group’s custom Apostle ransomware.\r\nAlthough the full technical details of the incident were not disclosed publicly, some information was released to\r\nthe public, most notably the ransom demand text file dropped on victim machines. The .txt file matches that\r\nfrom a new version of Apostle compiled on August 15, 2021, the day of the attack.\r\nThe new version of Apostle is obfuscated, encrypted and compressed as a resource in a loader we call Jennlog, as\r\nit attempts to masquerade payload in resources as log files. Before executing the Apostle payload, Jennlog runs a\r\nset of tests to verify that it is not being executed in an analysis environment based on an embedded configuration.\r\nFollowing the analysis of the Jennlog loader, SentinelLabs retrieved an additional variant of Jennlog, used to load\r\nand run OrcusRAT.\r\nJennlog Analysis\r\nJennlog ( 5e5e526a69490399494dcd7195bb6c67 ) is a .NET loader that deobfuscates, decompresses and decrypts a\r\n.NET executable from a resource embedded within the file. The resources within the loader appear to look like\r\nlog files, and it contains both the binary to run as well as a configuration for the malware’s execution.\r\nJennlog attempts to extract two different resources:\r\nhelloworld.pr.txt – stores Apostle payload and the configuration.\r\nhelloworld.Certificate.txt – contains None. If configured to do so, the malware compares the MD5\r\nvalue of the system information (used as system fingerprint) to the contents of this resource.\r\nThe payload hidden in “ helloworld.pr.txt ” appears to look like a log file at first sight:\r\nhttps://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/\r\nPage 1 of 7\n\nContents of “ helloworld.pr.txt ” resource embedded within Jennlog\r\nThe payload is extracted from the resource by searching for a separator word – “ Jennifer ”. Splitting the\r\ncontents of the resource results in an array of three strings:\r\n1. Decoy string – Most likely there to make the log file look more authentic.\r\n2. Configuration string – Used to determine the configuration of the malware execution.\r\n3. Payload – An obfuscated, compressed and encrypted file.\r\nConfiguration\r\nThe configuration of Jennlog consists of 13 values, 12 of which are actually used in this version of the malware.\r\nIn the variants we were able to retrieve, all of these flags are set to 0.\r\nhttps://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/\r\nPage 2 of 7\n\nJennlog configuration values\r\nOne of the most interesting flags found here is the certificate flag. If this flag is set, it will cause the malware to\r\nrun only on a specific system. If this system does not match the configured MD5 fingerprint, the malware either\r\nstops operation or deletes itself utilizing the function ExecuteInstalledNodeAndDelete() , which creates and runs\r\na BAT file as observed in other Agrius malware.\r\nJennlog ExecuteInstalledNodeAndDelete() function\r\nhttps://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/\r\nPage 3 of 7\n\nFollowing all the configuration based-checks, Jennlog continues to unpack the main binary from within the\r\nresource “ helloworld.pr.txt ” by performing the following string manipulations in the function EditString()\r\non the obfuscated payload:\r\nReplace all “ \\nLog ” with “ A ”.\r\nReverse the string.\r\nRemove all whitespaces.\r\nThis manipulation will result in a long base64-encoded deflated content, which is inflated using the function\r\nstringCompressor.Unzip() . The inflated content highly resembles the contents of the original obfuscated\r\npayload, and it is deobfuscated again using the EditString() function.\r\nThe deobfuscation of the inflated content is carried out in a rather peculiar way, being run as a “catch” statement\r\nafter attempting to turn a string containing a URL to int, which will always result in an error. The domain\r\npresented in the URL was never bought, and highly resembles other Agrius malware unpurchased domains, often\r\nused as “Super Relays”. Here, however, the domain is not actually contacted.\r\nExecution of EditString() function as a catch statement\r\nFollowing a second run of the EditString() function, Jennlog decodes the extracted content and decrypts it\r\nusing an implementation of RC4 with a predefined key. The extracted content found in this sample is a new\r\nversion of the Apostle ransomware, which is loaded into memory and ran using the parameters given to Jennlog at\r\nexecution.\r\nApostle Ransomware Analysis\r\nThe new variant of Apostle ( cbdbda089f7c7840d4daed22c34969fd876315b6 ) embedded within the Jennlog loader\r\nwas compiled on August 15, 2021, the day the attack on Bar-Ilan university was carried out. Its execution flow is\r\nhighly similar to the variant described in previous reports, and it even checks for the same Mutex as the previous\r\nransomware variant.\r\nThe message embedded within it, however, is quite different:\r\nOoops, Your files are encrypted!!! Don't worry,You can return all your files!\r\nIf you want to restore theme, Send $10000 worth of Monero to following address : \r\n43JuFUyzfcKQwTzCTHpQoA8uLGtbwFBLyeeXoYEEU5dZLhLT1cZJDk4cytjcgQT7kdjSerJqpEp2gUcH91bjLcoq2bqik3j\r\nThen follow this Telegram ID : hxxps://t[.]me/x4ran\r\nhttps://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/\r\nPage 4 of 7\n\nThis is the exact same message that was released to the media in the context of the Bar-Ilan ransomware incident,\r\nas reported on ynet:\r\nRansom demand text file as seen in Bar-Ilan university\r\nOther than the ransom demand note, the wallpaper picture used on affected machines was also changed, this time\r\npresenting an image of a clown:\r\nNew Apostle variant wallpaper image\r\nOrcusRAT Jennlog Loader\r\nhttps://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/\r\nPage 5 of 7\n\nAn additional variant of Jennlog ( 43b810f918e357669be42030a1feb727 ) was uploaded to VirusTotal on July 14,\r\n2021 from Iran. This variant is highly similar to the one used to load Apostle, and contains a similar configuration\r\nscheme (all set to 0). It is used to load a variant of OrcusRAT, which is extracted from the files resources in a\r\nsimilar manner.\r\nThe OrcusRAT variant ( add7b6b60e746c36a66f5ec233873372 ) extracted from within it was submitted to VT on\r\nJune 20, 2021 using the same submitter ID from Iran. It seems to connect to an internal IP address –\r\n192.168.178.114 , indicating it might have been used for testing. It also contained the following PDB path:\r\nC:\\Users\\dou\\Desktop\\repo\\arcu-win\\src\\Orcus\\obj\\Debug\\Orcus.pdb\r\nConclusion\r\nAgrius has shown a willingness to strategically wipe systems and has continued to evolve its toolkit to enable\r\nransomware operations. At this time, we don’t know if the actor is committed to financially-motivated operations,\r\nbut we do know the original intent was sabotage. We expect the sort of subterfuge seen here to be deployed in\r\nfuture Agrius operations. SentinelLabs continues to track the development of this nascent threat actor.\r\nTechnical Indicators\r\nJennlog Loader (Apostle Loader)\r\n5e5e526a69490399494dcd7195bb6c67\r\nc9428afa269bbf8c48a08a7109c553163d2051e7\r\n0ba324337b1d76a5afc26956d4dc9f57786483230112eaead5b5c92022c089c7\r\nApostle – Bar-Ilan variant\r\nfc8221382521a40ec0042431a947a3ca\r\ncbdbda089f7c7840d4daed22c34969fd876315b6\r\n44c13c46d4f597ea0625f1c87eecffe3cd5dcd257c5fac18a6fa931ba9b5f97a\r\nJennlog Loader (OrcusRAT Loader)\r\n43b810f918e357669be42030a1feb727\r\n3de36410a99cf3bd8e0c56fdeafa32bbf7625af1\r\n14659857df1753f720ac797a43a9c3f3e241c3df762de7f50bbbae00feb818c9\r\nOrcusRAT\r\nadd7b6b60e746c36a66f5ec233873372\r\na35bffc49871bb3a48bdd35b4a4d04d208f23487\r\n069686119adc13e1785cb7a425611d1ec13f33ae75962a7e50e00414209d1809\r\nhttps://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/\r\nPage 6 of 7\n\nSource: https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/\r\nhttps://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/" ], "report_names": [ "new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education" ], "threat_actors": [ { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434252, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/390434dfaf40212d3bb4503e8ebc3e916ac522c4.pdf", "text": "https://archive.orkl.eu/390434dfaf40212d3bb4503e8ebc3e916ac522c4.txt", "img": "https://archive.orkl.eu/390434dfaf40212d3bb4503e8ebc3e916ac522c4.jpg" } }