Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 16:36:12 UTC
 APT group: Agrius
Names
Agrius (SentinelLabs)
DEV-0227 (Microsoft)
BlackShadow (Kaspersky)
SharpBoys (?)
AMERICIUM (Microsoft)
Pink Sandstorm (Microsoft)
Agonizing Serpens (Palo Alto)
Spectral Kitten (CrowdStrike)
Country Iran
Motivation Information theft and espionage, Sabotage and destruction
First seen 2020
Description
(SentinelLabs) A new threat actor SentinelLabs track as Agrius was observed
operating in Israel beginning in 2020. An analysis of what at first sight appeared to
be a ransomware attack revealed new variants of wipers that were deployed in a set
of destructive attacks against Israeli targets. The operators behind the attacks
intentionally masked their activity as ransomware attacks.
Observed Countries: Hong Kong, Israel, South Africa.
Tools used
Apostle, ASPXSpy, BFG Agonizer Wiper, DEADWOOD, Fantasy, IPsec Helper,
Moneybird, MultiLayer Wiper, PartialWasher Wiper, Sqlextractor.
Operations performed
Feb 2022
Fantasy – a new Agrius wiper deployed through a supply‑chain
attack
May 2023
Agrius Deploys Moneybird in Targeted Attacks Against Israeli
Organizations
Information https://apt.etda.or.th/cgi-bin/showcard.cgi?u=50c0c8a2-3842-4e7a-aad8-270c1793e3e1
Page 1 of 2

Last change to this card: 28 June 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=50c0c8a2-3842-4e7a-aad8-270c1793e3e1
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=50c0c8a2-3842-4e7a-aad8-270c1793e3e1
Page 2 of 2