Agrius
G10301 reportsaliases · Agrius · Pink Sandstorm · AMERICIUM · Agonizing Serpens · BlackShadow
1
Reports
6
Techniques
6
Tactics
4
Countries
83%
Hunt coverage
5
Aliases
Analyst assessment — key judgments
- Signature techniques: T1543.003 (Windows Service), T1588.006 (Vulnerabilities), T1195 (Supply Chain Compromise).
- Primary targeting: US, RU, NL, IR.
- Activity declining: 0 report(s) in last 30d vs 1 prior (-100%).
- Hunt coverage 83% of 6 observed techniques (1 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
DecliningLast 30d: 0 vs 1 prior (-100%)· first reported 2026-06-08 · last 2026-06-08
0
7d
0
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
Targeting lost
IRNLRUUSVulnerabilities in this actor's reporting · 4
- CVE-2025-48595KEV1 rpt
- CVE-2026-20230KEV1 rpt
- CVE-2026-28318KEV1 rpt
- CVE-2026-410891 rpt
Overview
Analyst triage
Intelligence summary
Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation: SentinelOne Agrius 2021)(Citation: CheckPoint Agrius 2023) Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).(Citation: Microsoft Iran Cyber 2023)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1543.003 · Windows Serviceconf 601evidence: 8th June – Threat Intelligence Report
- T1588.006 · Vulnerabilitiesconf 601evidence: 8th June – Threat Intelligence Report
- T1195 · Supply Chain Compromiseconf 601evidence: 8th June – Threat Intelligence Report
- T1589.001 · Credentialsconf 601evidence: 8th June – Threat Intelligence Report
- T1684.001 · Impersonationconf 601evidence: 8th June – Threat Intelligence Report
- AML.T0073 · Impersonationconf 601evidence: 8th June – Threat Intelligence Report
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|