TIARAS - Agrius

Threat Actor Profile

High APT

Description

Agriusis an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.[1][2]Public reporting has linkedAgriusto Iran's Ministry of Intelligence and Security (MOIS).[3]

Confidence Score

100%

First Seen

Unknown

Last Updated

April 29, 2026
18 hours, 44 minutes ago

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (19)

T1005 - Data from Local System

Collection

T1074 - Data Staged

Collection

T1119 - Automated Collection

Collection

T1560 - Archive Collected Data

Collection

T1003 - OS Credential Dumping

Credential Access

T1110 - Brute Force

Credential Access

T1036 - Masquerading

Defense Evasion

T1078 - Valid Accounts

Defense Evasion

T1140 - Deobfuscate/Decode Files or Information

Defense Evasion

T1018 - Remote System Discovery

Discovery

T1046 - Network Service Discovery

Discovery

T1059 - Command and Scripting Interpreter

Execution

T1041 - Exfiltration Over C2 Channel

Exfiltration

T1190 - Exploit Public-Facing Application

Initial Access

T1021 - Remote Services

Lateral Movement

T1570 - Lateral Tool Transfer

Lateral Movement

T1505 - Server Software Component

Persistence

T1543 - Create or Modify System Process

Persistence

T1583 - Acquire Infrastructure

Resource Development

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': [],
 'description': 'Agriusis an Iranian threat actor active since 2020 notable '
                'for a series of ransomware and wiper operations in the Middle '
                'East, with an emphasis on Israeli targets.[1][2]Public '
                "reporting has linkedAgriusto Iran's Ministry of Intelligence "
                'and Security (MOIS).[3]',
 'external_references': [{'external_id': 'G1030',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1030/'}],
 'id': 'threat-actor--G1030',
 'metadata': {'crawled_at': '2026-04-29T14:32:19.609202+00:00',
              'mitre_group_id': 'G1030',
              'page_title': 'Agrius, Pink Sandstorm, AMERICIUM, Agonizing '
                            'Serpens, BlackShadow, Group G1030 | MITRE '
                            'ATT&CK®'},
 'name': 'Agrius',
 'type': 'threat-actor'}

Quick Actions

Related TTPs (19)

Data from Local System
Collection

Data Staged
Collection

Automated Collection
Collection

Archive Collected Data
Collection

OS Credential Dumping
Credential Access

View All 19 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (19)

T1005 - Data from Local System

T1074 - Data Staged

T1119 - Automated Collection

T1560 - Archive Collected Data

T1003 - OS Credential Dumping

T1110 - Brute Force

T1036 - Masquerading

T1078 - Valid Accounts

T1140 - Deobfuscate/Decode Files or Information

T1018 - Remote System Discovery

T1046 - Network Service Discovery

T1059 - Command and Scripting Interpreter

T1041 - Exfiltration Over C2 Channel

T1190 - Exploit Public-Facing Application

T1021 - Remote Services

T1570 - Lateral Tool Transfer

T1505 - Server Software Component

T1543 - Create or Modify System Process

T1583 - Acquire Infrastructure

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (19)

Please wait…