{ "id": "6fa56877-507e-407f-8a83-8744ac299c82", "created_at": "2026-04-06T00:19:32.610437Z", "updated_at": "2026-04-10T03:30:36.21105Z", "deleted_at": null, "sha1_hash": "a7f96b5dec4a4d1374a932388a4eeec67c9f3f8c", "title": "Agonizing Serpens Attack Detection: Iran-Backed Hackers Target Israeli Tech Firms and Educational Institutions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39974, "plain_text": "Agonizing Serpens Attack Detection: Iran-Backed Hackers Target\r\nIsraeli Tech Firms and Educational Institutions\r\nBy Daryna Olyniychuk\r\nPublished: 2023-11-09 · Archived: 2026-04-05 16:15:03 UTC\r\nThe increasing menace posed by nation-state actors continuously increases with new sophisticated attack methods\r\nadopted by APT collectives and a massive shift towards stealthiness \u0026 operational security. Recently, security\r\nresearchers revealed a destructive campaign against Israeli organizations launched by an Iran-affiliated hacker\r\ngroup dubbed Agonizing Serpens (aka Agrius, BlackShadow). The main objective of this offensive operation was\r\nto extract personally identifiable information (PII) and intellectual property from targeted institutions, followed by\r\nwiper malware deployment.\r\nDetect Agonizing Serpens Attacks\r\nBeing a relatively novel actor in the malicious arena, Iran-affiliated Agonizing Serpens APT has been\r\nconcentrating its efforts on the Middle East region, with multiple malicious campaigns launched since 2020. \r\nTo help security professionals timely detect Agonizing Serpens attacks, SOC Prime Platform for collective cyber\r\ndefense aggregates a set of curated detection algorithms accompanied by extensive CTI and metadata. All the\r\nrules are compatible with 28 SIEM, EDR, XDR, and Data Lake technologies and mapped to MITRE ATT\u0026CK to\r\nstreamline threat investigation. Just hit the Explore Detections button below and drill down to a dedicated content\r\nset.\r\nExplore Detections\r\nAdditionally, cyber defenders can leverage SOC Prime’s Uncoder AI to hunt for relevant IOCs provided by Palo\r\nAlto Networks Unit 42 in their investigation covering the latest campaign targeting Israel.\r\nAgonizing Serpens_IOC_Uncoder\r\nAgonizing Serpens collective has been continuously attacking Middle Eastern entities since 2020, with data-wiping malware used as a primary weapon in their attacks. The group came into the spotlight with an Apostle\r\nwiper used in operations against Israel and the United Arab Emirates. Apostle has been initially disguised as\r\nransomware, covertly destroying the victim’s data but in time the malware has been modified to act as an actual\r\nransomware strain. Further, the group switched to Fantasy wiper to proceed with offensive operations against\r\nIsrael and South Africa. \r\nAccording to the recent inquiry by Palo Alto Networks Unit42, Agonizing Serpens leveraged three brand-new\r\nwipers dubbed MultiLaer, PartialWasher, and BFG, in their latest campaign against Israeli companies, which\r\nlasted between January and October 2023. Before switching to the data destruction phase, threat actors exfiltrated\r\nsensitive details from targeted database servers using the Sqlextractor tool, explicitly searching for PII and\r\nhttps://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/\r\nPage 1 of 2\n\nintellectual property details. Further, the stolen info, including passports, email creds, and addresses, has been\r\nshared within social media and Telegram messenger to damage the victims’ reputation.\r\nNotably, the hackers made their pass to the targeted instances by weaponizing exposed internet-facing servers,\r\nwith further web shell deployment and reconnaissance activities to steal login details and gain admin rights.\r\nAccording to researchers, data wipers have been used to cover any traces of intrusion and add to the reputational\r\ndamage consequences. \r\nGrowing volumes of cyber attacks by state-backed APT groups and their increasing sophistication require ultra-responsiveness from cyber defenders. Stay ahead of any offensive campaigns with access to the latest detection\r\nalgorithms from the Threat Detection Marketplace against APTs, malware, and any emerging attacks of any scale.\r\nSource: https://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institution\r\ns/\r\nhttps://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/" ], "report_names": [ "agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions" ], "threat_actors": [ { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434772, "ts_updated_at": 1775791836, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a7f96b5dec4a4d1374a932388a4eeec67c9f3f8c.pdf", "text": "https://archive.orkl.eu/a7f96b5dec4a4d1374a932388a4eeec67c9f3f8c.txt", "img": "https://archive.orkl.eu/a7f96b5dec4a4d1374a932388a4eeec67c9f3f8c.jpg" } }