Agrius (also tracked as Microsoft DEV-0270, sometimes associated with the broader Iranian destructive-operations cluster designations including Mint Sandstorm partial overlap and Storm-Iranian-state-aligned tracking) is an Iran-aligned destructive cyber operations cluster active publicly since November 2020 with overwhelming targeting focus on Israeli organizations and adjacent Middle Eastern organizations supporting Israeli interests. The cluster is operationally significant as one of the most distinctive examples of destructive-state-aligned-operations-disguised-as-ransomware tradecraft in modern cyber-threat-intelligence reporting, and fills the destructive-Iran-cluster cell in this curated corpus complementing the broader Iranian state-aligned cluster coverage (apt33_elfin.yaml, apt34_oilrig.yaml, apt35_charmingkitten.yaml, apt39_chafer.yaml, muddywater.yaml, pioneer_kitten_fox_kitten.yaml, imperial_kitten_tortoiseshell.yaml). The cluster's operational signature is destructive wiper deployment disguised as ransomware, destroying victim data while simultaneously sending ransom demands that cannot in fact restore the destroyed data, with the apparent operational purpose of masking destructive-state-aligned operations as financially-motivated ransomware attacks. The deliberate masquerade-of-destructive-as-ransomware operational pattern is the cluster's most operationally-distinctive tradecraft signature and operationally distinguishes Agrius from financially-motivated ransomware operators (whose primary operational goal is to obtain ransom payment in exchange for genuine decryption capability). The pattern is similar in operational concept to NotPetya (June 2017, Russia-attributable) and WhisperGate (January 2022, Russia-attributable, see cadet_blizzard.yaml), both of which deployed wiper malware disguised as ransomware against Ukrainian organizations under state-aligned operational coordination, though Agrius operates against Israeli and Israeli-aligned targets under Iranian-aligned state coordination rather than Russian state coordination. The cluster's custom destructive-malware lineage spans three operationally-significant wiper families: (a) Apostle, the cluster's signature wiper-disguised-as-ransomware, developed iteratively from an initial wiper-only design (November 2020 first deployment failed due to logic flaw in malware code) into a fully-featured ransomware variant with both destructive- wiping capability and AES/RSA-based encryption masquerading as legitimate ransomware (subsequent 2021 deployment)
(b) Fantasy, the cluster's second-generation wiper (ESET December 2022 disclosure) built on Apostle foundations but without the ransomware-masquerade functionality, going directly to wiping data.
deployed via supply-chain compromise of an Israeli software developer's update mechanism in February- March 2022 against the global diamond industry (victims in Israel, South Africa, Hong Kong, with the Sandals C#/.NET deployer tool)
(c) MoneyBird ransomware variant deployed during 2023, operational refresh of the cluster's destructive- ransomware tooling family. The cluster has additionally used the DEADWOOD wiper (also called Detbosit), a wiper tool shared with APT33 / APT34 Iranian-aligned clusters, operationally as a fall-back destructive payload when Apostle deployments failed and as a primary destructive payload in some earlier campaigns. The DEADWOOD shared-tooling provides one of the strongest operational technical-attribution links between Agrius and the broader Iranian-aligned destructive- operations ecosystem. Signature operational tradecraft includes: (1) HEAVY N-DAY VULNERABILITY EXPLOITATION FOR INITIAL ACCESS. The cluster relies heavily on exploitation of N-day vulnerabilities in internet-facing applications and appliances , operationally distinguishing the cluster from zero-day- acquisition-capable state-aligned actors (which typically have access to private 0day inventories). Signature vulnerability exploitation includes FortiOS CVE-2018-13379 (SSL VPN path traversal, signature initial-access vector across the cluster's 2020-2022 operational history), Citrix ADC / NetScaler CVE-2019-19781, Oracle WebLogic CVE-2020- 14882, Microsoft Exchange ProxyLogon CVE-2021-26855 and ProxyShell CVE-2021-34473, and WSO2 Identity Server CVE-2022- 29464. N-day exploitation is consistent with the cluster's operational positioning as state-aligned-but-not-state- sponsored or state-tolerated-with-limited-resources. (2) ASPXSPY WEBSHELL DEPLOYMENT + RDP TUNNELING. Following initial-access compromise via N-day exploitation, the cluster consistently deploys ASPXSpy webshell variants on compromised internet-facing servers to gain internal network foothold and enable RDP traffic tunneling between compromised internet- facing servers and internal network resources. The webshell- mediated RDP tunneling tradecraft enables hands-on-keyboard intrusion activity from external IP addresses through the compromised internet-facing server pivot point. SentinelLabs analysis of webshell upload patterns identified that three of the ASPXSpy webshells observed in cluster operations were uploaded from Iranian IP addresses, providing one of the strongest operational geolocation indicators for the cluster's Iran-aligned attribution. (3) COMMERCIAL VPN-BASED OPERATOR IP ANONYMIZATION. Most of the cluster's observed attack-IP-source operations originate from commercial VPN services (primarily ProtonVPN), a signature operational pattern that complicates IP-based attribution while providing operationally-stable infrastructure. (4) IPSEC HELPER CUSTOM .NET BACKDOOR. The cluster operates the IPsec Helper malware family, a custom .NET backdoor developed in-house and operationally exclusive to Agrius, for persistent access, credential harvesting, and follow-on payload deployment. IPsec Helper checks internet connectivity by connecting to pre-determined Microsoft servers and operationally fetches Apostle (or successor wiper) .NET payloads from cluster-controlled command-and-control infrastructure. The IPsec Helper backdoor and Apostle wiper share code similarities suggesting both were developed by the same operator team. (5) ESPIONAGE-BEFORE-DESTRUCTION OPERATIONAL PATTERN. While the cluster's signature operational mission is destructive, industry analysis (J.A. Guerrero-Saade, SentinelLabs) indicates that the cluster's destructive operations are preceded by espionage-style reconnaissance, lateral movement, backdoor deployment, and selective data exfiltration before the destructive payload deployment phase. The espionage- before-destruction operational pattern is consistent with the cluster operating as an intelligence-aware destructive actor (collecting useful intelligence before destroying victim data) rather than a purely-destructive actor. (6) DEMONSTRATED SUPPLY-CHAIN COMPROMISE CAPABILITY. The February-March 2022 Fantasy wiper diamond-industry supply- chain compromise (via trojanized Israeli software-developer update mechanism) demonstrated the cluster's operational capability for sophisticated software-supply-chain operations in addition to direct N-day-exploitation targeting. The Fantasy supply-chain campaign achieved simultaneous-wiping deployment against multiple victims (South Africa, Israel, Hong Kong) on March 12, 2022, operationally consistent with state-aligned supply-chain compromise tradecraft. Targeted sectors across the cluster's operational history include government administration, defense and military, critical infrastructure, telecommunications, energy, water and utilities, the diamond industry (2022 supply-chain campaign), jewelry and precious metals, HR services, IT consulting services, manufacturing, higher education, technology, media and journalism, financial services, and insurance. Targeted geographies are overwhelmingly Israeli (the cluster's primary targeting geography) with secondary operations against UAE, Saudi Arabia, and (via the 2022 diamond-industry supply-chain operation) South Africa and Hong Kong. The targeting profile is strongly consistent with Iranian-state-aligned operational priorities, anti-Israeli destructive operations have been a sustained Iranian-state- aligned cyber-operations mission since the 2012 Shamoon (APT33) wiper era. Industry attribution to Iran-aligned operators is consistent across SentinelLabs (canonical disclosure), ESET, Check Point Research, Microsoft Threat Intelligence Center, Mandiant, Trellix, and partner industry vendors. No government cybersecurity authority has formally attributed Agrius to a specific Iranian government agency or Islamic Revolutionary Guard Corps (IRGC) unit, but the cluster's operational pattern is consistent with state-aligned or state-tolerated destructive cyber operations against Israeli interests rather than pure criminal cyber activity. Industry analysis has assessed the cluster with "medium confidence to be of Iranian origin" (SentinelLabs language), operationally reflecting the analytical uncertainty inherent in destructive- operations attribution. Agrius is operationally distinct from APT33 / APT34 / APT35 / APT39 / MuddyWater / Pioneer Kitten / Imperial Kitten Iranian clusters separately curated in this corpus, while sharing some tooling overlaps (DEADWOOD wiper shared with APT33 / APT34). The cluster fills the modern destructive-Iran-cluster cell in this corpus and provides analytically-distinct coverage of the Iranian-aligned destructive cyber-operations sub-ecosystem that has historically included Shamoon (APT33, 2012-2017), ZeroCleare (APT34 / Hive0081, 2019-2020), Dustman (related Iranian actors, 2019-2020), Project Signal and n3tw0rm (2021 partial-overlap), and Agrius (2020-present).