{ "id": "c1cafa18-d91c-40c3-afa1-1764433dba5b", "created_at": "2026-04-06T00:12:54.476683Z", "updated_at": "2026-04-10T13:11:27.620457Z", "deleted_at": null, "sha1_hash": "4144b8da662a7f5fc8f52e3ed0dc8c0676870b97", "title": "Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1849994, "plain_text": "Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher\r\nEducation and Tech Sectors\r\nBy Or Chechik, Tom Fakterman, Daniel Frank, Assaf Dahan\r\nPublished: 2023-11-06 · Archived: 2026-04-05 14:43:19 UTC\r\nExecutive Summary\r\nUnit 42 researchers have investigated a series of destructive cyberattacks beginning in January 2023 and\r\ncontinuing as recently as October 2023, targeting the education and technology sectors in Israel.\r\nThe attacks are characterized by attempts to steal sensitive data, such as personally identifiable information (PII)\r\nand intellectual property. Once the attackers stole the information, they deployed various wipers intended to cover\r\nthe attackers’ tracks and to render the infected endpoints unusable.\r\nOur investigation revealed the perpetrators of the attacks have strong connections to an Iranian-backed APT group\r\nUnit 42 tracks as Agonizing Serpens (aka Agrius, BlackShadow, Pink Sandstorm, DEV-0022).\r\nUnit 42 researchers were also able to identify novel new wipers and tools that Agonizing Serpens used in their\r\nmost recent attacks:\r\nMultiLayer wiper\r\nPartialWasher wiper\r\nBFG Agonizer wiper\r\nSqlextractor - a custom tool to extract information from database servers\r\nBased on forensic evidence, it appears that the Agonizing Serpens APT group has recently upgraded their\r\ncapabilities and they are investing great efforts and resources to attempt to bypass endpoint detection and response\r\n(EDR) and other security measures. To do so, they have been rotating between using different known proof of\r\nconcept (PoC) and pentesting tools as well as custom tools.\r\nFor the attacks described below, the attacker was unsuccessful at bypassing Cortex XDR. Cortex XDR and\r\nXSIAM detect and prevent the execution flow described. They also build behavioral profiles of user activity over\r\ntime with machine learning, allowing them to detect anomalous activity indicative of, for example, credential-based attacks.\r\nWe are sharing this research to provide detection, prevention and hunting recommendations to help organizations\r\nprotect against the threats associated with Agonizing Serpens.\r\nWho Is the Agonizing Serpens APT Group?\r\nAgonizing Serpens (aka Agrius) is an Iranian-linked APT group that has been active since 2020. The group is\r\nknown for its destructive wiper and fake-ransomware attacks and mainly targets Israeli organizations across\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 1 of 28\n\nmultiple industries and countries.\r\nThough earlier reports of these attacks mentioned ransomware and ransom notes, these turned out to be a ruse (a\r\ntrend noted in the 2023 Unit 42 Ransomware and Extortion Report). In the most recent attacks, the attackers did\r\nnot request ransom – rather, the potential result of the attacks was vast data loss and disruptions of business\r\ncontinuity.\r\nAttacks from Agonizing Serpens usually have two main goals, the first being stealing sensitive information that\r\nincludes PII and intellectual property, which threat actors then publish on social media or Telegram channels. It\r\nseems likely that their motivation to publish on social media is to sow fear or inflict reputational damage. The\r\nsecond goal is wreaking havoc and inflicting considerable damage by wiping as many endpoints as possible.\r\nSince its emergence, the group has developed new custom tools and they have also leveraged known hacking tools\r\nand techniques to carry out their aggressive operations.\r\nTechnical Analysis\r\nThe following sections detail the different stages of a recent incident carried out by Agonizing Serpens in October\r\n2023, as analyzed by Unit 42 researchers.\r\nEntry Vector\r\nThe attackers gained initial access to the environment by exploiting vulnerable internet facing web servers.\r\nSubsequently, they deployed multiple web shells, which granted them a foothold in the network.\r\nThe web shells that threat actors used in the described attack (shown in Figure 1) contain the same code as web\r\nshells that were observed in previous Agonizing Serpens attacks, with variations to the naming of functions. The\r\nweb shells appear to be variations of ASPXSpy.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 2 of 28\n\nFigure 1. Snippet from xcopy.aspx web shell.\r\nAnother web shell used in this attack was named Uploader.aspx. Figure 2 shows almost identical code found in\r\ntwo web shells used by Agonizing Serpens, one from a recent attack and the other from a past attack.\r\nFigure 2. Top: snippet from Uploader.aspx, Bottom: Snippet from a web shell used in an Agonizing\r\nSerpens attack in the past against an Israeli company.\r\nFigure 3 shows how, shortly after the attackers deployed the web shells, they started to execute basic\r\nreconnaissance commands via the web shells.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 3 of 28\n\nFigure 3. Basic reconnaissance commands via the web shells shown in Cortex XDR.\r\nReconnaissance\r\nTo map out the network, the attackers used various known and publicly available scanners.\r\nNbtscan\r\nThe attackers used Nbtscan, renamed as systems.txt, to scan the network for existing hosts (shown in Figure 4).\r\nFigure 4. Nbtscan used to scan the network.\r\nWinEggDrop\r\nFigure 5 shows how the attackers used an open-source SYN/TCP port scanner by WinEggDrop to scan particular\r\nhosts of interest.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 4 of 28\n\nFigure 5. WinEggdDrop scanner used for port scanning.\r\nNimScan\r\nNimScan is another publicly available port scanner that the attackers used in the attack, as shown in Figure 6.\r\nFigure 6. NimScan being used for port scanning.\r\nCredential Stealing\r\nA crucial phase of the attack consisted of obtaining credentials of users with administrative privileges. To do so,\r\nthe attackers tried multiple methods to obtain credentials, which were prevented by the Cortex XDR platform:\r\nMimikatz (filename: Mimi.exe)\r\nSMB password spraying\r\nSMB password brute force (shown in Figure 7)\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 5 of 28\n\nFigure 7. Password brute forcing using SMB.\r\nDumping the SAM file (shown in Figure 8)\r\nFigure 8. Dumping the SAM file.\r\nLateral Movement\r\nFigure 9 shows that to move laterally in the environment, the attackers mostly used Plink (renamed as\r\nsystems.exe) to create remote tunneling and establish connections to remote machines.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 6 of 28\n\nFigure 9. Plink used to establish remote tunneling.\r\nStealing and Exfiltrating Data\r\nAttackers attempted to steal information from databases and other critical servers before executing wipers to cover\r\ntheir tracks. They then tried to exfiltrate this information to the attackers’ C2 servers, using different publicly\r\navailable tools such as WinSCP and Putty.\r\nExtracting Database Information Using Sqlextractor\r\nThe attackers used a custom tool they named sqlextractor (binary name sql.net4.exe). Its purpose is to query SQL\r\ndatabases and extract sensitive PII data, such as the following:\r\nID numbers\r\nPassport scans\r\nEmails\r\nFull addresses\r\nThe data was saved into CSV files as shown in Figures 10 and 11. The tool writes the data to a hard-coded staging\r\npath: C:\\windows\\temp\\s\\.\r\nFigure 10 shows the attackers then used 7za.exe to archive the extracted data in preparation for exfiltration.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 7 of 28\n\nFigure 10. Sqlextractor and 7za.exe used to extract files and archive them.\r\nFigure 11. Sqlextractor writes extracted data to CSV files.\r\nFigure 12 shows the attackers also used 7zG.exe to archive interesting folders in the infected environment.\r\nFigure 12. 7zG.exe used to archive various folders.\r\nData Exfiltration Using WinSCP\r\nThe attackers attempted to use WinSCP to exfiltrate files from the environment, as shown in Figures 13 and 14.\r\nFigure 13. WinSCP being used to exfiltrate files.\r\nFigure 14. Exfiltration alerts by Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 8 of 28\n\nData Exfiltration Using Pscp.exe (PuTTY Secure Copy Protocol)\r\nFigure 15 shows that another tool the attackers used for exfiltration is pscp.exe (PuTTY Secure Copy Protocol).\r\nThe attackers attempted to establish a connection to the C2, then searched for .7z and .ezip files that contain stolen\r\ndata, as well as .dmp files created by ProcDump.\r\nFigure 15. pscp.exe used for exfiltration.\r\nWiper Payloads\r\nDuring the incident, the attackers attempted to use three separate wipers as part of the destructive attack. While\r\nsome of the wipers show code similarities to previously reported wipers the Agonizing Serpens group used, others\r\nare considered brand new. These have been used for the first time in this attack, as detailed in the following\r\nsection.\r\nMultiLayer Wiper\r\nThe first wiper that the attackers used is .NET malware called MultiLayer. As its name suggests, this wiper\r\ncontains multiple layers and stages.\r\nIts compilation date is Oct. 14, 2093. As this is set to a future date, it is a clear sign of metadata manipulation.\r\nFigure 16 shows that it contains two more binaries in its resources section, named MultiList and MultiWip.\r\nFigure 16. MultiLayer resources.\r\nMultiLayer drops and executes each of the aforementioned binaries, then deletes them right after their execution.\r\nThe MultiList Component - Setting the Target Files\r\nMultiList generates a list of all the files and their paths on the fixed drives on the system. It does this by\r\nenumerating all files on the infected operating system while excluding specific folders defined in a predefined list\r\n(shown in Figure 17). The attackers can define the path to which this tool should store the list via the command\r\nline.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 9 of 28\n\nFigure 17. MultiList exclusion functionality.\r\nMultiWip - the Core Wiper Component\r\nThe MultiWip component contains the actual file wiping functionality. It relies on the previous component\r\n(MultiList) and reads the output list of files to wipe, which is passed as a command-line argument.\r\nMultiWip’s main function is called DoJob() and is responsible for carrying out the file-wiping activity in the\r\nmanner shown in Figure 18.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 10 of 28\n\nFigure 18. Snippet from MultiWip’s main DoJob() function.\r\nThe malware takes the following steps in the order indicated:\r\n1. Files located on network drives are deleted immediately.\r\n2. Locally stored files are corrupted and overwritten with random data to thwart file recovery efforts, as\r\nshown in Figure 19.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 11 of 28\n\nFigure 19. Snippet of MultiWip File data destruction function.\r\n3. The malware changes the original timestamps in the following FileSystemInfo properties: LastAccessTime,\r\nLastWriteTime and CreationTime. This is a well-known anti-forensic timestomping technique. The\r\nmalware timestomps according to the file system. If the file system is NTFS, the malware sets the\r\ntimestamp to 1601.1.1. Any other file system, the malware sets it to 1980.1.1 (shown in Figure 20).\r\nFigure 20. MultiWip timestomp function.\r\n4. The malware changes the original paths of the deleted files, using Path.GetRandomFileName, to make any\r\nrecovery efforts extremely hard.\r\n5. Finally, the malware deletes the files.\r\nCovering Tracks and Rendering the System Unusable\r\nMultiLayer is designed to cover its tracks by erasing evidence of its execution. It does so by running various\r\ncommands to prevent restoration of lost data and to render the disk unusable.\r\nFigure 21 shows that MultiLayer uses the DeleteLogs() function to create a scheduled task that launches a batch\r\nscript only once. The script then removes all the Windows Event Logs.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 12 of 28\n\nFigure 21. MultiLayer scheduled task to delete events logs.\r\nTo remain stealthy, MultiLayer removes all the files it uses after its execution, including itself. To remove itself,\r\nMultiLayer uses SelfDelete().\r\nThe removal is implemented by threat actors writing a batch file named remover.bat to %TEMP% and executing\r\nit. The batch file deletes the assembly file and the batch itself, and then it clears the file system cache memory,\r\nleveraging the ProcessIdleTasks export in advapi32.dll.\r\nTo further prevent data restoration, MultiLayer tries to remove all shadow copies on the system as shown in\r\nFigure 22, and then remove the Volume Shadow Copy (VSS) service itself.\r\nFigure 22. MultiLayer deletion of the shadow copies.\r\nFigure 23 shows that, to ensure that the system can no longer boot, MultiLayer opens a handle to\r\n\\\\\\\\.\\\\PhysicalDrive0 and wipes the first 512 bytes (aka the boot sector).\r\nFigure 23. MultiLayer wiping the boot sector.\r\nFinally, after the boot sector is corrupted, MultiLayer adjusts its privileges to SeShutdownPrivilege and calls the\r\nWindows API ExitWindowsEx with the EWX_REBOOT flag, which indicates system reboot. Once the system\r\nreboots, it will not be able to boot again.\r\nThe attempt to execute MultiLayer was prevented by Cortex XDR, as depicted in Figure 24 below.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 13 of 28\n\nFigure 24. Blocked execution of the MultiLayer wiper by Cortex XDR platform.\r\nSimilarities to Apostle, IPsec Helper, and Fantasy\r\nThroughout our analysis of MultiLayer, we noticed multiple code overlaps with Apostle, IPsec Helper and\r\nFantasy. These are custom tools previously used by Agonizing Serpens. This might be the result of a shared\r\ncodebase or being written by the same team of developers. When comparing the code of the aforementioned tools,\r\nit appears that MultiLayer shares naming conventions and even entire code blocks with them.\r\nExample 1: Self-Deletion Mechanism\r\nThe self-deletion mechanism of MultiLayer is implemented in a similar manner to IPsec Helper, Apostle and\r\nFantasy. They share the same name for the function, named SelfDelete(). They also delete themselves by writing a\r\nbatch file named remover.bat to %TEMP% and executing it, using the above mentioned functions shown in\r\nFigures 25 and 26.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 14 of 28\n\nFigure 25. MultiLayer’s SelfDelete() function.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 15 of 28\n\nFigure 26. Code snippet of the IPsec Helper. Source: Figure 20 of SentinalLABS report From Wiper\r\nto Ransomware: The Evolution of Agrius.\r\nExample 2: Directory Listing Implementation\r\nThe recursive directory listing mechanism of MultiList is implemented in a similar manner to Fantasy and\r\nApostle. They share the same name for the function, named GetSubDirectoryFileListRecusrive.\r\nThey also both call GetSubDirectoryFileListRecusrive() and GetDirectoryFileList(), where\r\nGetSubDirectoryFileListRecusrive() is called recursively as shown in the code snippets in Figures 27 and 28.\r\nFigure 27. Recursive directory listing in MultiList.\r\nFigure 28. Recursive directory listing in Fantasy. Source: Figure 6 in ESET blog \"Fantasy – a new\r\nAgrius wiper deployed through a supply‑chain attack.\"\r\nPartialWasher Wiper\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 16 of 28\n\nDuring the attack, the attackers attempted to use a second wiper, which they call PartialWasher or PW. Figure 29\r\nshows that it was compiled on Oct. 8 and, unlike other .NET wipers mentioned in this article, it is written in C++.\r\nFigure 29. The compilation timestamp of PartialWasher.\r\nPartialWasher defines itself as a crucial process by calling NtSetInformationProcess, and it supports command-line arguments. In case no arguments are provided, the default functionality would be a wiper functionality.\r\nWhen passing 1 as an argument, the attacker can then use an interactive command-line interface (CLI). There are\r\nseveral typos in the interface’s text, indicating that the authors are likely not native English speakers.\r\nFigure 30 shows an example of the passed arguments S /p. They trigger the malware to gather information about\r\navailable drives on the infected machine.\r\nFigure 30. PartialWasher’s CLI and typos marked in red squares.\r\nThe supported commands demonstrate the wiper’s further capabilities to perform individual wiping tasks at the\r\nrequest of its operators. These commands include:\r\nS - Scan drives and retrieve information about them, depending on the provided secondary argument\r\n/a - Get all drive information and partition details\r\n/p - Get only drive information\r\n/v - Get only partition details\r\nD - Write around 420 MB of binary data to a provided device number, most likely to make a drive unusable\r\nF - Wipe files in a specified folder and its subfolders if the files are not empty\r\nI - Wipe a specified file if it is not empty\r\nW - Change file attributes and wipe files\r\nThe attempt to execute PartialWiper was prevented by Cortex XDR, as depicted in Figure 31 below.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 17 of 28\n\nFigure 31. PartialWasher detected and prevented by Cortex XDR.\r\nBFG Agonizer Wiper\r\nThe BFG Agonizer\r\nA third wiper that the attackers used is called BFG Agonizer (bfg.exe), according to its PDB path (E:\\tools2\\BFG\r\nagonizer\\INFECTOR\\Dropper\\Dropper\\Release\\Dropper.pdb). The file metadata indicates that it was compiled on\r\nOct. 8, as shown in Figure 32.\r\nFigure 32. BGF Agonizer’s compilation timestamp.\r\nIt is worth noting that there are many code similarities between BFG Agonizer and an open-source project called\r\nCRYLINE-v5.0, hosted on GitHub. We assess that BFG’s authors copied, or at the very least, relied heavily on\r\nthis publicly available code.\r\nBefore the wiper commences its wiping activity, it first attempts to circumvent security measures that might exist\r\non the infected endpoint. It does so by implementing several anti-hooking techniques, which have not been\r\nreported thus far as part of the group's known techniques. This suggests a possible upgrade of their capabilities.\r\nThe following sections list the anti-hooking functions BFG runs before its main payload.\r\nDLL Unhooking\r\nDLL unhooking is an anti-hooking technique that attempts to remove the user mode inline hooks, which various\r\nsecurity solutions often implement. The technique works by restoring the bytes of the hooked functions to their\r\noriginal disk values. This technique is well known, and it is likely that the wipers’ authors largely adopted the\r\nfollowing publicly available code.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 18 of 28\n\nImport Address Table (IAT) Unhooking\r\nIAT unhooking is an anti-hooking technique that attempts to remove the user-mode IAT hooks, which various\r\nsecurity solutions often implement. Based on the wiper’s code, it is likely that the authors largely adopted publicly\r\navailable IAT unhooking code snippets.\r\nWiping the Boot Sector\r\nTo wipe the boot sector, the wiper retrieves a device handle to \\\\.\\PhysicalDrive0 as shown in Figure 33. In turn, it\r\ncalls DeviceIoControl with the IOCTL_DISK_GET_PARTITION_INFO control code to find the partition style.\r\nFigure 33. BFG retrieves a device handle to \\\\.\\PhysicalDrive0.\r\nIf the partition style is master boot record (MBR) or GUID partition table (GPT) it infects the first 6 sectors as\r\nshown in Figure 34.\r\nFigure 34. BFG overwrites the boot sector.\r\nFinally, after the sectors are infected, the wiper adjusts its privileges to have the SeShutdownPrivilege and calls\r\nthe native API NtRaiseHardError, which triggers a blue screen of death (BSOD) in the system with the error code\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 19 of 28\n\nof 0xC0000420. Once the system crashes, it will not be able to boot again (shown in Figure 35).\r\nFigure 35. BFG causing a BSOD on the system after corrupting the boot sector.\r\nThe attempt to execute BFG Agonizer wiper was prevented by Cortex XDR, as depicted in Figure 36 below.\r\nFigure 36. Execution of BFG Agonizer wiper blocked by the Cortex XDR platform.\r\nAttempted Anti-EDR Activity\r\nDuring the attack, the group specifically attempted to bypass EDR solutions to carry out their attack uninterrupted\r\nand with greater stealth. These attempts were blocked by the Cortex XDR platform. It is interesting to note that\r\nthe group tried multiple tools and techniques, and each time they failed with one, they tried to leverage another.\r\nWhile most of the techniques are known and well-documented, the group has not used them in previous publicly\r\nreported attacks. This could suggest that the group is becoming increasingly advanced and aggressive in its\r\napproach.\r\nThe following sections list some of the EDR bypass tools and techniques in the order they leveraged them.\r\nEDR Service Dependency Bypass\r\nThe threat actor attempted their first EDR bypass technique on Oct. 6. The actor tried to manipulate the Cortex\r\nXDR service auto-start functionally. By leveraging previously obtained Administrator privileges, the attackers\r\ntried to modify the services Cortex XDR depends on, so it would not be able to auto-start upon system startup.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 20 of 28\n\nFigure 37 shows these attempts were prevented, and then the attackers shifted into using custom tools that abuse\r\nthe “bring your own vulnerable driver” (BYOVD) technique.\r\nFigure 37. Cortex XDR prevents service registry manipulation.\r\nDrvIX: A Custom BYOVD Loader\r\nThe first custom tool the attackers used was a binary named agmt.exe, which was compiled on Oct. 7. According\r\nto its PDB path (C:\\Users\\dude\\source\\repos\\drvix\\x64\\Release\\drvix.pdb), it appears that this tool’s original name\r\nis drvIX (shown in Figure 38).\r\nFigure 38. agmt.exe PDB path and compilation date.\r\nHowever, according to the binary help function shown in Figure 39, the name is Drvtopia.\r\nFigure 39. DrvIX help section mentions Drvtopia.\r\nAgmt.exe is a custom loader and operator for the GMER driver, gmer64.sys (renamed to AGMT.sys). GMER’s\r\noriginal intended purpose is to detect and remove rootkits; however, threat actors can also leverage it to remove\r\nsecurity products. Using agmt.exe, the attackers can specify the PID of the target process they wish to terminate\r\nvia the command line.\r\nAgmt.exe starts by registering GMER a new kernel driver (agmt.sys) as a service named AGMT and starting it,\r\nwhich in turn causes the operating system to load the driver into the kernel.\r\nTo communicate and abuse the GMER functionality of terminating processes, agmt.exe retrieves a device handle\r\nto GMER’s device object as shown in Figure 40.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 21 of 28\n\nFigure 40. Agmt.exe opens a handle to the GMER device object.\r\nThen, agmt.exe uses DeviceIoControl Windows API with the control code 0x9876C094, while specifying the PID\r\nin the Input_Buffer parameter of the call (shown in Figure 41).\r\nFigure 41. Agmt.exe communicates with the GMER driver for terminating processes.\r\nDeviceIoControl allows user mode processes to directly communicate with kernel drivers, allowing the processes\r\nto request the drivers to service certain operations for them.\r\nIn the case of agmt.exe, the DeviceIoControl API call triggers a process termination operation for the GMER\r\ndriver. Figure 44 shows that by inspecting the GMER driver, we can determine that the functionality of the\r\n0x9876C094 control code is to terminate the target process provided by PID.\r\nFigure 42. GMER 0x9876C094 control code functionally.\r\nThe function opens a handle to the target process PID using ZwOpenProcess and then terminates it by calling\r\nZwTerminateProcess.\r\nThe attempt to leverage the GMER driver failed, as shown in Figure 43 below.\r\nFigure 43. Loading of the GMER driver being blocked by the Cortex XDR Platform.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 22 of 28\n\nSecond Vulnerable Driver Attempt (Rentdrv2 Driver)\r\nAs the attempt to exploit the GMER driver failed, the attackers tried arming their drvIX tool. They did so using a\r\ndifferent vulnerable driver from a new publicly available PoC tool called BadRentdrv2, first published in the\r\nbeginning of October 2023.\r\nThe attacker used the same project and compiled a modified version of the tool a day later, on Oct. 8 as shown in\r\nFigure 44. This time, the binary’s original name drvIX.exe was not changed.\r\nFigure 44. PDB path and compilation for drvIX.exe.\r\nThe loading code of the driver looks almost identical to the aforementioned drvIX version. Similarly, drvIX.exe\r\naccepts the PID of the target process the attacker wishes to terminate via the command line.\r\nDrvIX retrieves a device handle to its device object and communicates with the Rentdrv2 driver via\r\nDeviceIoControl. DrvIX then sends the target PID by specifying it in a structure sent as the Input_Buffer and\r\nspecifies the control code as 0x22E010 (shown in Figure 45).\r\nFigure 45. DrvIX communicates with Rentdrv2.\r\nSimilarly to the GMER driver, the 0x220E010 control code terminates the target process provided by its PID, as\r\nshown in Figure 46.\r\nFigure 46. Rentdrv2 0x22E010 control code functionality.\r\nThe function opens a handle to the target process PID using ZwOpenProcess and terminates it by calling\r\nZwTerminateProcess.\r\nFigure 47 shows this attempt was blocked and prevented by the Cortex XDR platform.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 23 of 28\n\nFigure 47. Prevention of an attempt to terminate the Cortex XDR service.\r\nAttribution\r\nBased on the Unit 42 attribution model, we assess with a high level of confidence that the attacks described in this\r\narticle were carried out by the Iranian-linked Agonizing Serpens APT group.\r\nThis assessment is based on the following reasons and evidence:\r\nMultiple code similarities in wipers: The analysis of the MultiLayer wiper in this article shows multiple\r\ncode similarities and similar naming convention to previously documented Agonizing Serpens wipers\r\nknown as Apostle, its successor Fantasy, and the IPsec Helper backdoor.\r\nCode similarity in web shells: The attackers used web shells variants that consisted of the same code,\r\nexcept for variable and function names that are replaced for each sample.\r\nDestructive nature of the attacks: The final step of the attacks implements a “scorched earth” policy,\r\nusing custom wipers to render the endpoints unusable and cover the tracks of the attackers. This is\r\ncongruent with all previous reports about the group’s activity.\r\nTargeting Israeli organizations: Our telemetry did not detect non-Israeli organizations affected by the\r\nattacks. This APT group seems to specifically target Israeli entities.\r\nConclusion\r\nIn this article we provided a deep dive analysis of a recent destructive wiper attack carried out by the Iranian-linked Agonizing Serpens APT group. This attack is a part of a broader offensive campaign that targets Israeli\r\norganizations. Based on our telemetry, the most targeted organizations belong to the education and technology\r\nsectors.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 24 of 28\n\nOur investigation uncovered new tools in the group’s arsenal that include a set of three previously undocumented\r\nwipers, as well as a database extractor tool. Analysis of the new wipers revealed that the group has upgraded their\r\ncapabilities, putting an emphasis on stealth and evasive techniques designed to bypass security solutions such as\r\nEDR technology.\r\nAs shown throughout our research, the Cortex XDR platform can detect and prevent the various stages of the\r\nattack lifecycle.\r\nProtections and Mitigations\r\nPalo Alto Networks customers receive protection from the different tools that were observed during the recent\r\nAgonizing Serpens campaign. The Cortex XDR and XSIAM platforms detect and prevent the execution flow\r\ndescribed in the screenshots included in the previous section.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup.\r\nCortex XDR and XSIAM detect user and credential-based threats by analyzing user activity from multiple data\r\nsources including the following:\r\nEndpoints\r\nNetwork firewalls\r\nActive Directory\r\nIdentity and access management solutions\r\nCloud workloads\r\nCortex XDR and XSIAM build behavioral profiles of user activity over time with machine learning. By\r\ncomparing new activity to past activity, peer activity and the expected behavior of the entity, Cortex XDR and\r\nXSIAM detect anomalous activity indicative of credential-based attacks.\r\nThey also offer the following protections related to the attacks discussed in this post:\r\nPrevent the execution of known malicious malware and also prevents the execution of unknown malware\r\nusing Behavioral Threat Protection and machine learning based on the Local Analysis module\r\nProtect against credential gathering tools and techniques using the new Credential Gathering Protection\r\navailable from Cortex XDR 3.4\r\nProtect against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using the\r\nAnti-Exploitation modules as well as Behavioral Threat Protection\r\nCortex XDR Pro detects post-exploitation activity, including credential-based attacks, with behavioral analytics.\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 25 of 28\n\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nWeb shells\r\n1ea4d26a31dad637d697f9fb70b6ed4d75a13d101e02e02bc00200b42353985c\r\n62e36675ed7267536bd980c07570829fe61136e53de3336eebadeca56ab060c2\r\nabfde7c29a4a703daa2b8ad2637819147de3a890fdd12da8279de51a3cc0d96d\r\nNbtscan\r\n63d51bc3e5cf4068ff04bd3d665c101a003f1d6f52de7366f5a2d9ef5cc041a7\r\nWinEggDrop\r\n49c3df62c4b62ce8960558daea4a8cf41b11c8f445e218cd257970cf939a3c25\r\nNimScan\r\ndacdb4976fd75ab2fd7bb22f1b2f9d986f5d92c29555ce2b165c020e2816a200\r\ne43d66b7a4fa09a0714c573fbe4996770d9d85e31912480e73344124017098f9\r\nMimikatz\r\n2a6e3b6e42be2f55f7ab9db9d5790b0cc3f52bee9a1272fc4d79c7c0a3b6abda\r\nProcDump\r\n5d1660a53aaf824739d82f703ed580004980d377bdc2834f1041d512e4305d07\r\nf4c8369e4de1f12cc5a71eb5586b38fc78a9d8db2b189b8c25ef17a572d4d6b7\r\nPlink\r\n13d8d4f4fa483111e4372a6925d24e28f3be082a2ea8f44304384982bd692ec9\r\nSqlextractor\r\na8e63550b56178ae5198c9cc5b704a8be4c8505fea887792b6d911e488592a7c\r\nPscp.exe\r\na112e78e4f8b99b1ceddae44f34692be20ef971944b98e2def995c87d5ae89ee\r\nMultiLayer wiper\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 26 of 28\n\n38e406b17715b1b52ed8d8e4defdb5b79a4ddea9a3381a9f2276b00449ec8835\r\nf65880ef9fec17da4142850e5e7d40ebfc58671f5d66395809977dd5027a6a3e\r\nPartialWasher Wiper\r\nec7dc5bfadce28b8a8944fb267642c6f713e5b19a9983d7c6f011ebe0f663097\r\nBFG Agonizer Wiper\r\nc52525cd7d05bddb3ee17eb1ad6b5d6670254252b28b18a1451f604dfff932a4\r\nGMER Driver Loader - agmt.exe\r\n8967c83411cd96b514252df092d8d3eda3f7f2c01b3eef1394901e27465ff981\r\na2d8704b5073cdc059e746d2016afbaecf8546daad3dbfe4833cd3d41ab63898\r\nGMER Driver\r\n18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7\r\nRentdrv2 Loader - drvIX.exe\r\n2fb88793f8571209c2fcf1be528ca1d59e7ac62e81e73ebb5a0d77b9d5a09cb8\r\nRentdrv2 Driver\r\n9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5\r\nInfrastructure\r\n185.105.46[.]34\r\n185.105.46[.]19\r\n93.188.207[.]110\r\n109.237.107[.]212\r\n217.29.62[.]166\r\n81.177.22[.]182\r\nAppendix\r\nFilename SHA256\r\nUploader.aspx 1ea4d26a31dad637d697f9fb70b6ed4d75a13d101e02e02bc00200b42353985c\r\nxcopy.aspx 62e36675ed7267536bd980c07570829fe61136e53de3336eebadeca56ab060c2\r\ncss.aspx abfde7c29a4a703daa2b8ad2637819147de3a890fdd12da8279de51a3cc0d96d\r\nTable 1. Web shell hash.\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 27 of 28\n\nSource: https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nhttps://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/" ], "report_names": [ "agonizing-serpens-targets-israeli-tech-higher-ed-sectors" ], "threat_actors": [ { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434374, "ts_updated_at": 1775826687, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4144b8da662a7f5fc8f52e3ed0dc8c0676870b97.pdf", "text": "https://archive.orkl.eu/4144b8da662a7f5fc8f52e3ed0dc8c0676870b97.txt", "img": "https://archive.orkl.eu/4144b8da662a7f5fc8f52e3ed0dc8c0676870b97.jpg" } }