THREATOPS Actor Dossier
LIVE ← Dashboard

Agrius

G10301 reports
aliases · Agrius · Pink Sandstorm · AMERICIUM · Agonizing Serpens · BlackShadow
Export dossier:
1
Reports
6
Techniques
6
Tactics
4
Countries
83%
Hunt coverage
5
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1543.003 (Windows Service), T1588.006 (Vulnerabilities), T1195 (Supply Chain Compromise).
  • Primary targeting: US, RU, NL, IR.
  • Activity declining: 0 report(s) in last 30d vs 1 prior (-100%).
  • Hunt coverage 83% of 6 observed techniques (1 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

DecliningLast 30d: 0 vs 1 prior (-100%)· first reported 2026-06-08 · last 2026-06-08
0
7d
0
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

Targeting lost
IRNLRUUS

Vulnerabilities in this actor's reporting · 4

Overview

Analyst triage
Intelligence summary

Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation: SentinelOne Agrius 2021)(Citation: CheckPoint Agrius 2023) Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).(Citation: Microsoft Iran Cyber 2023)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected