{ "id": "2088bd87-eea6-4f93-b1ad-4859d4c45d3a", "created_at": "2026-04-06T00:15:28.559807Z", "updated_at": "2026-04-10T03:30:36.238847Z", "deleted_at": null, "sha1_hash": "40098b9573c4c7ee36352bf50267455134b30cdc", "title": "Fantasy – a new Agrius wiper deployed through a supply-chain attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4150234, "plain_text": "Fantasy – a new Agrius wiper deployed through a supply-chain attack\r\nBy Adam Burgher\r\nArchived: 2026-04-05 14:09:43 UTC\r\nESET researchers discovered a new wiper and its execution tool, both attributed to the Agrius APT group, while analyzing a\r\nsupply-chain attack abusing an Israeli software developer. The group is known for its destructive operations.\r\nIn February 2022, Agrius began targeting Israeli HR and IT consulting firms, and users of an Israeli software suite used in\r\nthe diamond industry. We believe that Agrius operators conducted a supply-chain attack abusing the Israeli software\r\ndeveloper to deploy their new wiper, Fantasy, and a new lateral movement and Fantasy execution tool, Sandals.\r\nThe Fantasy wiper is built on the foundations of the previously reported Apostle wiper but does not attempt to masquerade\r\nas ransomware, as Apostle originally did. Instead, it goes right to work wiping data. Victims were observed in South Africa –\r\nwhere reconnaissance began several weeks before Fantasy was deployed – Israel, and Hong Kong.\r\nKey points of this blogpost:\r\nAgrius conducted a supply-chain attack abusing an Israeli software suite used in the diamond industry.\r\nThe group then deployed a new wiper we named Fantasy. Most of its code base comes from Apostle, Agrius’s\r\nprevious wiper.\r\nAlong with Fantasy, Agrius also deployed a new lateral movement and Fantasy execution tool that we have named\r\nSandals.\r\nVictims include Israeli HR firms, IT consulting companies, and a diamond wholesaler; a South African organization\r\nworking in the diamond industry; and a jeweler in Hong Kong.\r\nGroup overview\r\nAgrius is a newer Iran-aligned group targeting victims in Israel and the United Arab Emirates since 2020. The group initially\r\ndeployed a wiper, Apostle, disguised as ransomware, but later modified Apostle into fully fledged ransomware. Agrius\r\nexploits known vulnerabilities in internet-facing applications to install webshells, then conducts internal reconnaissance\r\nbefore moving laterally and then deploying its malicious payloads.\r\nCampaign overview\r\nOn February 20th, 2022 at an organization in the diamond industry in South Africa, Agrius deployed credential harvesting\r\ntools, probably in preparation for this campaign. Then, on March 12th, 2022, Agrius launched the wiping attack by\r\ndeploying Fantasy and Sandals, first to the victim in South Africa and then to victims in Israel and lastly to a victim in Hong\r\nKong.\r\nVictims in Israel include an IT support services company, a diamond wholesaler, and an HR consulting firm. South African\r\nvictims are from a single organization in the diamond industry, with the Hong Kong victim being a jeweler.\r\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 1 of 12\n\nFigure 1. Victim timeline and locations\r\nThe campaign lasted less than three hours and within that timeframe ESET customers were already protected with detections\r\nidentifying Fantasy as a wiper, and blocking its execution. We observed the software developer pushing out clean updates\r\nwithin a matter of hours of the attack. We reached out to the software developer to notify them about a potential\r\ncompromise, but our enquiries went unanswered.\r\nPreparing for departure\r\nThe first tools deployed by Agrius operators to victim systems, through means unknown, were:\r\nMiniDump, “a C# implementation of mimikatz/pypykatz minidump functionality to get credentials from LSASS\r\ndumps”\r\nSecretsDump, a Python script that “performs various techniques to dump hashes from [a] remote machine without\r\nexecuting any agent there”\r\nHost2IP, a custom C#/.NET tool that resolves a hostname to an IP address.\r\nUsernames, passwords, and hostnames collected by these tools are required for Sandals to successfully spread and execute\r\nthe Fantasy wiper. Agrius operators deployed MiniDump and SecretsDump to this campaign’s first victim on February 20th,\r\n2022, but waited until March 12th, 2022 to deploy Host2IP, Fantasy, and Sandals (consecutively).\r\nSandals: Igniting the Fantasy (wiper)\r\nSandals is a 32-bit Windows executable written in C#/.NET. We chose the name because Sandals is an anagram of some of\r\nthe command line arguments it accepts. It is used to connect to systems in the same network via SMB, to write a batch file to\r\ndisk that executes the Fantasy wiper, and then run that batch file via PsExec with this command line string:\r\nPsExec.exe /accepteula -d -u \"\u003cusername\u003e\" -p \"\u003cpassword\u003e\" -s \"C:\\\u003cpath\u003e\\\u003cGUID\u003e.bat\"\r\nThe PsExec options have the following meanings:\r\n-d – Don't wait for process to terminate (non-interactive).\r\n/accepteula – Suppress display of the license dialog.\r\n-s – Run the remote process in the SYSTEM account.\r\nSandals does not write the Fantasy wiper to remote systems. We believe that the Fantasy wiper is deployed via a supply-chain attack using the software developer’s software update mechanism. This assessment is based on several factors:\r\nall victims were customers of the affected software developer;\r\nthe Fantasy wiper was named in a similar fashion to legitimate versions of the software;\r\nall victims executed the Fantasy wiper within a 2.5 hour timeframe, where victims in South Africa were targeted first,\r\nthen victims in Israel, and finally victims in Hong Kong (we attribute the delay in targeting to time zone differences\r\nand a hardcoded check-in time within the legitimate software); and,\r\nlastly, the Fantasy wiper was written to, and executed from, %SYSTEM%\\Windows\\Temp, the default temp\r\ndirectory for Windows systems.\r\nAdditionally, we believe the victims were already using PsExec, and Agrius operators chose to use PsExec to blend into\r\ntypical administrative activity on the victims’ machines, and for ease of batch file execution. Table 1 lists the command line\r\narguments accepted by Sandals.\r\nTable 1. Sandals arguments and their descriptions\r\nArgument Description Required\r\n-f \u003cfilepath\u003e\r\nA path and filename to a file that contains a list of hostnames that should be\r\ntargeted.\r\nYes\r\n-u \u003cusername\u003e The username that will be used to log into the remote hostname(s) in argument -f. Yes\r\n-p \u003cpassword\u003e The username that will be used to log into the remote hostname(s) in argument -f. Yes\r\n-l \u003cfilepath\u003e\r\nThe path and filename of the Fantasy wiper on the remote system that will be\r\nexecuted by the batch file created by Sandals.\r\nYes\r\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 2 of 12\n\nArgument Description Required\r\n-d \u003cpath\u003e\r\nThe location to which Sandals will write the batch file on the remote system.\r\nDefault location is %WINDOWS%\\Temp.\r\nNo\r\n-s \u003cinteger\u003e\r\nThe amount of time, in seconds, that Sandals will sleep between writing the batch\r\nfile to disk and executing. The default is two seconds.\r\nNo\r\n-a file \u003cfilepath\u003e\r\nor\r\n-a random or\r\n-a rsa\r\nIf -a is followed by the word file and a path and filename, Sandals uses the\r\nencryption key in the supplied file. If -a is followed by rsa or random, Sandals uses\r\nthe RSACryptoServiceProvider class to generate a public-private key pair with a\r\nkey size of 2,048.\r\nNo\r\n-dn \u003cdevicename\u003e Specifies which drive to connect with on a remote system over SMB. Default is C:. No\r\n-ps \u003cfilepath\u003e Location of PsExec on disk. Default is psexec.exe in the current working directory. No\r\n-ra\r\nIf -ra is supplied at runtime, it sets the variable flag to True (initially set to False). If\r\nflag=True, Sandals deletes all files written to disk in the current working directory.\r\nIf flag=False, Sandals skips the file cleanup step.\r\nNo\r\nThe batch file written to disk by Sandals is named \u003cGUID\u003e.bat, where the filename is the output of the Guid.NewGuid()\r\nmethod. An example of a Sandals batch file is shown in Figure 2.\r\nFigure 2. Sandals batch file (top, in red) and the decoded command line parameter (bottom, in blue)\r\nThe base64 string that follows fantasy35.exe is likely a relic of the execution requirements of Apostle (more details in the\r\nAttribution to Agrius section). However, the Fantasy wiper only looks for an argument of 411 and ignores all other runtime\r\ninput (see the next section for more information).\r\nFantasy wiper\r\nThe Fantasy wiper is also a 32-bit Windows executable written in C#/.NET, so named for its filenames: fantasy45.exe and\r\nfantasy35.exe, respectively. Figure 3 depicts the execution flow of the Fantasy wiper.\r\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 3 of 12\n\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 4 of 12\n\nFigure 3. Fantasy wiper execution flow\r\nInitially, Fantasy creates a mutex to ensure that only one instance is running. It collects a list of fixed drives but excludes the\r\ndrive where the %WINDOWS% directory exists. Then it enters a for loop iterating over the drive list to build a recursive\r\ndirectory listing, and uses the RNGCryptoServiceProvider.GetBytes method to create a cryptographically strong sequence of\r\nrandom values in a 4096-byte array. If a runtime argument of 411 is supplied to the wiper, the for loop overwrites the\r\ncontents of every file with the aforementioned byte array using a nested while loop. Otherwise, the for loop only overwrites\r\nfiles with a file extension listed in the Appendix.\r\nFantasy then assigns a specific timestamp (2037-01-01 00:00:00) to these file timestamp properties:\r\nCreationTime\r\nLastAccessTime\r\nLastWriteTime\r\nCreationTimeUtc\r\nSetLastAccessTimeUtc\r\nLastWriteTimeUtc\r\nand then deletes the file. This is presumably done to make recovery and forensic analysis more difficult.\r\nDuring the for loop, the Fantasy wiper counts errors within the current directory when attempting to overwrite files. If the\r\nnumber of errors exceeds 50, it writes a batch file, %WINDOWS%\\Temp\\\u003cGUID\u003e.bat, that deletes the directory with the\r\nfiles causing the errors, and then self-deletes. File wiping then resumes in the next directory in the target list.\r\nOnce the for loop completes, the Fantasy wiper creates a batch file in %WINDOWS%\\Temp called registry.bat. The batch\r\nfile deletes the following registry keys:\r\nHKCR\\.EXE\r\nHKCR\\.dll\r\nHKCR\\*\r\nThen it runs the following to attempt to clear file system cache memory:\r\n%windir%\\system32\\rundll32.exe advapi32.dll,ProcessIdleTasks\r\nLastly, registry.bat deletes itself (del %0).\r\nNext, the Fantasy wiper clears all Windows event logs and creates another batch file, system.bat, in %WINDOWS%\\Temp,\r\nthat recursively deletes all files on %SYSTEMDRIVE%, attempts to clear file system cache memory, and self-deletes. Then\r\nFantasy sleeps for two minutes before overwriting the system’s Master Boot Record.\r\nFantasy then writes another batch file, %WINDOWS%\\Temp\\remover.bat, that deletes the Fantasy wiper from disk and then\r\ndeletes itself. Then Fantasy wiper sleeps for 30 seconds before rebooting the system with reason code\r\nSHTDN_REASON_MAJOR_OTHER (0x00000000) -- Other issue.\r\nIt is likely that %SYSTEMDRIVE% recovery is possible. Victims were observed to be back up and running within a matter\r\nof hours.\r\nAttribution to Agrius\r\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 5 of 12\n\nMuch of the code base from Apostle, initially a wiper masquerading as ransomware then updated to actual ransomware, was\r\ndirectly copied to Fantasy and many other functions in Fantasy were only slightly modified from Apostle, a known Agrius\r\ntool. However, the overall functionality of Fantasy is that of a wiper without any attempt to masquerade as ransomware.\r\nFigure 4 shows the file deletion functions in Fantasy and Apostle, respectively. There are only a few small tweaks between\r\nthe original function in Apostle and the Fantasy implementation.\r\nFigure 4. File deletion functions from the Fantasy wiper (top, in red) and Apostle ransomware (bottom, in green)\r\nFigure 4. File deletion functions from the Fantasy wiper (top, in red) and Apostle ransomware (bottom, in green)\r\nFigure 5 shows that the directory listing function is almost a direct copy, with only the function variables getting a slight\r\ntweak between Apostle and Fantasy.\r\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 6 of 12\n\nFigure 5. Directory listing functions from the Fantasy wiper (top, in red) and Apostle ransomware (bottom, in green)\r\nFinally, the GetSubDirectoryFileListRecursive function in Figure 6 is also almost an exact copy.\r\nFigure 6. Recursive directory listing functions from the Fantasy wiper (top, in red) and Apostle ransomware (bottom, in\r\ngreen)\r\nIn addition to the code reuse, we can see remnants of the Apostle execution flow in Fantasy. In the original analysis of\r\nApostle, SentinelOne notes that “Proper execution of the ransomware version requires supplying it with a base64 encoded\r\nargument containing an XML of an ‘RSAParameters’ object. This argument is passed on and saved as the Public Key used\r\nfor the encryption process and is most likely generated on a machine owned by the threat actor.” We can see in the batch file\r\nin Figure 7, which Sandals creates on remote systems to launch Fantasy, that the same base64-encoded argument containing\r\nan XML of an RSAParameters object is passed to Fantasy at runtime. Fantasy, however, does not use this runtime argument.\r\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 7 of 12\n\nFigure 7. Sandals passing to Fantasy the same RSAParameters object as was used by Apostle ransomware\r\nConclusion\r\nSince its discovery in 2021, Agrius has been solely focused on destructive operations. To that end, Agrius operators probably\r\nexecuted a supply-chain attack by targeting an Israeli software company’s software updating mechanisms to deploy Fantasy,\r\nits newest wiper, to victims in Israel, Hong Kong, and South Africa. Fantasy is similar in many respects to the previous\r\nAgrius wiper, Apostle, that initially masqueraded as ransomware before being rewritten to be actual ransomware. Fantasy\r\nmakes no effort to disguise itself as ransomware. Agrius operators used a new tool, Sandals, to connect remotely to systems\r\nand execute Fantasy.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nSHA-1 Filename Detection Description\r\n1A62031BBB2C3F55D44F59917FD32E4ED2041224 fantasy35.exe MSIL/KillDisk.I Fantasy wiper.\r\n820AD7E30B4C54692D07B29361AECD0BB14DF3BE fantasy45.exe MSIL/KillDisk.I Fantasy wiper.\r\n1AAE62ACEE3C04A6728F9EDC3756FABD6E342252 host2ip.exe clean Resolves a hostname to an\r\n5485C627922A71B04D4C78FBC25985CDB163313B MiniDump.exe MSIL/Riskware.LsassDumper.H\r\nImplementation of Mimikat\r\ndumps credentials from LS\r\nDB11CBFFE30E0094D6DE48259C5A919C1EB57108 registry.bat BAT/Agent.NRG\r\nBatch file that wipes some\r\nand is dropped and execute\r\nwiper.\r\n3228E6BC8C738781176E65EBBC0EB52020A44866 secretsdump.py Python/Impacket.A Python script that dumps cr\r\nB3B1EDD6B80AF0CDADADD1EE1448056E6E1B3274 spchost.exe MSIL/Agent.XH\r\nSandals lateral movement t\r\nspreader.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 12 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1587 Develop Capabilities\r\nAgrius builds utility tools to use during an active\r\nexploitation process.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nAgrius builds custom malware including wipers\r\n(Fantasy) and lateral movement tools (Sandals).\r\nInitial Access\r\nT1078.002\r\nValid Accounts: Domain\r\nAccounts\r\nAgrius operators attempted to capture cached\r\ncredentials and then use them for lateral movement.\r\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 8 of 12\n\nTactic ID Name Description\r\nT1078.003\r\nValid Accounts: Local\r\nAccounts\r\nAgrius operators attempted to use cached credentials\r\nfrom local accounts to gain initial access to additional\r\nsystems within an internal network.\r\nExecution T1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nFantasy and Sandals both use batch files that run via\r\nthe Windows command shell.\r\nPrivilege\r\nEscalation\r\nT1134 Access Token Manipulation\r\nFantasy uses the LookupPrivilegeValue and\r\nAdjustTokenPrivilege APIs in advapi32.dll to grant its\r\nprocess token the SeShutdownPrivilege to reboot\r\nWindows.\r\nDefense\r\nEvasion\r\nT1070.006\r\nIndicator Removal on Host:\r\nTimestomp\r\nAgrius operators timestomped the compilation\r\ntimestamps of Fantasy and Sandals.\r\nCredential\r\nAccess\r\nT1003 OS Credential Dumping\r\nAgrius operators used several tools to dump OS\r\ncredentials for use in lateral movement.\r\nDiscovery T1135 Network Share Discovery\r\nAgrius operators used cached credentials to check for\r\naccess to other systems within an internal network.\r\nLateral\r\nMovement\r\nT1021.002\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares\r\nAgrius operators used cached credentials to connect\r\nover SMB to systems within an exploited internal\r\nnetwork.\r\nT1570 Lateral Tool Transfer\r\nAgrius operators used Sandals to push batch files over\r\nSMB to other systems within an internal network.\r\nImpact\r\nT1485 Data Destruction\r\nThe Fantasy wiper overwrites data in files and then\r\ndeletes the files.\r\nT1561.002 Disk Wipe\r\nFantasy wipes the MBR of the Windows drive and\r\nattempts to wipe the OS partition.\r\nT1561.001\r\nDisk Wipe: Disk Content\r\nWipe\r\nFantasy wipes all disk contents from non-Windows\r\ndrives that are fixed drives.\r\nT1529 System Shutdown/Reboot\r\nFantasy reboots the system after completing its disk\r\nand data wiping payloads.\r\nAppendix\r\nFile extensions (682) targeted by Fantasy wiper when not targeting all file extensions. File extensions highlighted in yellow\r\n(68) are common filename extensions in Windows. Notably absent are file extensions dll and sys.\r\n$$$ blend drw jsp nyf qualsoftcode tdb\r\n$db blend1 dsb kb2 oab quicken2015backup tex\r\n001 blend2 dss kbx obj quicken2016backup tga\r\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 9 of 12\n\n$$$ blend drw jsp nyf qualsoftcode tdb\r\n002 blob dtd kc2 obk quicken2017backup thm\r\n003 bm3 dwg kdb odb quickenbackup tib\r\n113 bmk dxb kdbx odc qv~ tibkp\r\n3dm bookexport dxf kdc odf r3d tif\r\n3ds bpa dxg key odg raf tig\r\n3fr bpb em1 kf odm rar tis\r\n3g2 bpm epk kpdx odp rat tlg\r\n3gp bpn eps layout ods raw tmp\r\n3pr bps erbsql lbf odt rb tmr\r\n73b bpw erf lcb oeb rbc tor\r\n7z bsa esm ldabak ogg rbf trn\r\n__a bup exe litemod oil rbk ttbk\r\n__b c exf llx old rbs txt\r\nab caa fbc lnk onepkg rdb uci\r\nab4 cas fbf ltx orf re4 upk\r\naba cbk fbk lua ori rgss3a v2i\r\nabbu cbs fbu lvl orig rim vb\r\nabf cbu fbw m ost rm vbk\r\nabk cdf fdb m2 otg rmbak vbm\r\nabu cdr ff m3u oth rmgb vbox-prev\r\nabu1 cdr3 ffd m4a otp rofl vcf\r\naccdb cdr4 fff m4v ots rrr vdf\r\naccde cdr5 fh map ott rtf vfs0\r\naccdr cdr6 fhd max oyx rw2 vmdk\r\naccdt cdrw fhf mbf p12 rwl vob\r\nach cdx fla mbk p7b rwz vpcbackup\r\nacp ce2 flat mbw p7c s3db vpk\r\nacr cel flka mcmeta pab safenotebackup vpp_pc\r\nact cenon~ flkb mdb pages sas7bdat vrb\r\nadb cer flv mdbackup pak sav vtf\r\nadi cfp fmb mdc paq say w01\r\nads cfr forge mddata pas sb w3x\r\naea cgm fos mdf pat sbb wallet\r\nafi cib fpk mdinfo pba sbs walletx\r\nagdl ck9 fpsx mef pbb sbu war\r\nai class fpx mem pbd sdO wav\r\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 10 of 12\n\n$$$ blend drw jsp nyf qualsoftcode tdb\r\nait cls fsh menu pbf sda wb2\r\nal cmf ftmb mfw pbj sdc wbb\r\napj cmt ful mig pbl sdf wbcat\r\napk config fwbackup mkv pbx5script sid wbk\r\narc cpi fxg mlx pbxscript sidd wbx\r\narch00 cpp fza mmw pcd sidn win\r\narw cr2 fzb moneywell pct sie wjf\r\nas4 craw gb1 mos pdb sim wma\r\nasd crds gb2 mov pdd sis wmo\r\nasf crt gbp mp3 pdf skb wmv\r\nashbak crw gdb mp4 pef sldm wotreplay\r\nasm cs gho mpb pem sldx wpb\r\nasmx csd ghs mpeg pfi slm wpd\r\nasp csh gray mpg pfx sln wps\r\naspx csl grey mpqge php sme wspak\r\nasset csm gry mrw php5 sn1 wxwanam\r\nasv css gs-bck mrwref phtml sn2 x\r\nasvx csv gz msg pk7 sna x11\r\nasx d3dbsp h msi pkpass sns x3f\r\nate da0 hbk msim pl snx xbk\r\nati dac hkdb mv_ plc spf xf\r\navi das hkx myd plc spg xis\r\nawg dash hplg mynotesbackup png spi xla\r\nba6 dazip hpp nb7 pot sps xlam\r\nba7 db htm nba potm sqb xlk\r\nba8 db-journal htm1 nbak potx sql xlm\r\nba9 db0 html nbd ppam sqlite xlr\r\nbac db3 hvpl nbd pps sqlite3 xls\r\nback dba ibank nbf ppsm sqlitedb xlsb\r\nbackup dbf ibd nbi ppsx sr2 xlsm\r\nbackup1 dbk ibk nbk ppt srf xlsx\r\nbackupdb dbs ibz nbs pptm srr xlt\r\nbak dbx icbu nbu pptx srt xltm\r\nbak2 dc2 icf ncf pqb-backup srw xltx\r\nbak3 dcr icxs nco prf st4 xlw\r\nbakx dcs idx nd prv st6 xml\r\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 11 of 12\n\n$$$ blend drw jsp nyf qualsoftcode tdb\r\nbak~ ddd iif nda ps st7 ycbcra\r\nbank ddoc iiq ndd psa st8 yrcbck\r\nbar ddrw incpas nef psafe3 std yuv\r\nbat dds indd nfb psd stg zbfx\r\nbay der index nfc psk sti zip\r\nbbb des inprogress nk2 pspimage stw ztmp\r\nbbz desc ipd nop pst stx ~cw\r\nbc6 design iso noy ptb sty\r\nbc7 dgc itdb npf ptx sum\r\nbck dim itl nps pvc sv$\r\nbckp divx itm nrbak pvhd sv2i\r\nbcm diy iv2i nrs py svg\r\nbdb djvu iwd nrw qba swf\r\nbff dmp iwi ns2 qbb sxc\r\nbgt dna j01 ns3 qbk sxd\r\nbif dng jar ns4 qbm sxg\r\nbifx doc java nsd qbmb sxi\r\nbig docm jbk nsf qbmd sxm\r\nbik docx jdc nsg qbr sxw\r\nbk1 dot jpa nsh qbw syncdb\r\nbkc dotm jpe ntl qbx t12\r\nbkf dotx jpeg nwb qby t13\r\nbkp dov jpg nwbak qdf tar\r\nbkup dpb jps nx2 qic tax\r\nbkz drf js nxl qsf tbk\r\nSource: https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nhttps://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/" ], "report_names": [ "fantasy-new-agrius-wiper-supply-chain-attack" ], "threat_actors": [ { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434528, "ts_updated_at": 1775791836, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/40098b9573c4c7ee36352bf50267455134b30cdc.pdf", "text": "https://archive.orkl.eu/40098b9573c4c7ee36352bf50267455134b30cdc.txt", "img": "https://archive.orkl.eu/40098b9573c4c7ee36352bf50267455134b30cdc.jpg" } }