{ "id": "3e35836f-6138-4b92-b15c-85b9217a92dc", "created_at": "2026-04-06T00:06:09.572251Z", "updated_at": "2026-04-10T03:30:36.201204Z", "deleted_at": null, "sha1_hash": "b92e8ff932f4173e009b4d7cfa5c84b154053d20", "title": "BFG Agonizer Wiper - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54816, "plain_text": "BFG Agonizer Wiper - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 23:08:08 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BFG Agonizer Wiper\n Tool: BFG Agonizer Wiper\nNames\nBFG Agonizer Wiper\nBFG Agonizer\nCategory Malware\nType Wiper\nDescription\n(Palo Alto) Before the wiper commences its wiping activity, it first attempts to circumvent\nsecurity measures that might exist on the infected endpoint. It does so by implementing several\nanti-hooking techniques, which have not been reported thus far as part of the group's known\ntechniques. This suggests a possible upgrade of their capabilities.\nInformation\nLast change to this tool card: 29 November 2023\nDownload this tool card in JSON format\nAll groups using tool BFG Agonizer Wiper\nChanged Name Country Observed\nAPT groups\n Agrius 2020-May 2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9ce69a68-edec-4854-a990-d8bef5efeb32\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9ce69a68-edec-4854-a990-d8bef5efeb32\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9ce69a68-edec-4854-a990-d8bef5efeb32" ], "report_names": [ "listgroups.cgi?u=9ce69a68-edec-4854-a990-d8bef5efeb32" ], "threat_actors": [ { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433969, "ts_updated_at": 1775791836, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b92e8ff932f4173e009b4d7cfa5c84b154053d20.pdf", "text": "https://archive.orkl.eu/b92e8ff932f4173e009b4d7cfa5c84b154053d20.txt", "img": "https://archive.orkl.eu/b92e8ff932f4173e009b4d7cfa5c84b154053d20.jpg" } }