A newly discovered threat group, Agrius, has been launching damaging wiper attacks aimed at Israeli targets. The malware is masquerading as ransomware to make its state-sponsored activities appear to be financially motivated. The group is based in Iran and was first discovered last year.

What happened?

As per an analysis by SentinelOne, the group is using a combination of its own custom toolset and readily available malicious software to drop a custom wiper-turned-ransomware, Apostle.
  • Unlike ransomware groups, the group is not motivated by money. Instead, it carries out cyberespionage and destructive attacks. 
  • The group would purport to have stolen and encrypted information to extort victims. However, the information is already destroyed by the wiper. 
  • During the first stages of an attack, Agrius uses VPN software while accessing public-facing applications or services belonging to its targets before trying to exploit it.
  • A FortiOS vulnerability (CVE-2018-13379) was widely used in exploit attempts aimed at Israeli targets. If successful, webshells are deployed with public cybersecurity tools.

Other tools used by Agrius

Besides Apostle, Agrius is known for using several other malware and tools for its malicious activities.
  • Agrius’ toolkit includes another destructive wiper malware strain called Deadwood. This wiper was associated with attacks aimed at Saudi Arabia in 2019 and is believed to be the work of APT33.
  • Moreover, the group leveraged a custom .NET backdoor, IPsec Helper, for persistence. This malware appears to be created by the same developer behind the recent Apostle wiper.


The threat group is using its own custom toolset, along with publicly available offensive security tools. In addition, it is focusing its attacks on a variety of organizations based in the Middle East. Organizations are recommended to stay alert and deploy adequate security measures to avoid such threats.

Cyware Publisher