Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

BFG Agonizer

BFG Agonizer is a destructive wiper malware associated in the provided content with Iranian operations, specifically collaborative deployments by Agonizing Serpens (Agrius) and Boggy Serpens (MuddyWater). It is described as part of Iran’s wiper arsenal alongside families such as ZeroCleare, Meteor, Dustman, DEADWOOD, Apostle, MultiLayer, and PartialWasher. The content states these operations frequently abused legitimate remote monitoring and management (RMM) tools to distribute payloads at scale.

Its core destructive behavior is boot-sector wiping to inhibit recovery and render systems unbootable. The malware retrieves a device handle to \.\PhysicalDrive0 and wipes the boot sector of the disk. It also uses elevated privileges to call NtRaiseHardError to induce a blue screen of death (BSOD), causing a system crash; after shutdown, the system is no longer bootable.

For defense evasion, BFG Agonizer uses DLL unhooking to remove user-mode inline hooks implemented by security products and also performs IAT unhooking to remove user-mode import address table hooks. High-confidence indicators and behaviors directly mentioned in the content include access to \.\PhysicalDrive0, boot-sector wiping, DLL unhooking, IAT unhooking, and use of NtRaiseHardError to force a crash.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
MuddyWater

MultiLayer and BFG Agonizer: Concurrently, collaborative deployments between Agonizing Serpens and Boggy Serpens (aka MuddyWater) introduced highly modular wipers like MultiLayer and BFG Agonizer. These operations frequently abused legitimate remote monitoring and management (RMM) tools to distribute the payloads at scale.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
Mustang Panda

MultiLayer and BFG Agonizer: Concurrently, collaborative deployments between Agonizing Serpens and Boggy Serpens (aka MuddyWater) introduced highly modular wipers like MultiLayer and BFG Agonizer. These operations frequently abused legitimate remote monitoring and management (RMM) tools to distribute the payloads at scale.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Persistence

1 technique
T1554Compromise Host Software BinaryEvidence1

Stealth

1 technique
T1014RootkitEvidence1

BFG Agonizer uses DLL unhooking to remove user mode inline hooks that security solutions often implement. BFG Agonizer also uses IAT unhooking to remove user-mode IAT hooks that security solutions also use.

Command and Control

1 technique
T1219Remote Access ToolsEvidence1

These operations frequently abused legitimate remote monitoring and management (RMM) tools to distribute the payloads at scale.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

Destructive deployments were consistently paired with aggressive data exfiltration, creating simultaneous hack-and-leak operations.

Impact

5 techniques
T1485Data DestructionEvidence2

Instead, they opted for rapid, recursive file-level destruction, overwriting targeted files with 4096-byte blocks of random data.

T1490Inhibit System RecoveryEvidence3

Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.

T1529System Shutdown/RebootEvidence2

"AcidPour includes functionality to reboot the victim system following wiping actions..."; "AcidRain reboots the target system once the various wiping processes are complete"; "Apostle reboots the victim machine following wiping"; "APT37 ... issue the command shutdown /r /t 1 to reboot a system after wiping its MBR"; "APT38 ... BOOTWRECK ... initiate a system reboot after wiping the victim's MBR"; "Black Basta ... used ShellExecuteA to shut down and restart"; "DarkGate ... used the shutdown command"; "HermeticWiper can initiate a system shutdown"; "NotPetya will reboot the system one hour after infection"; "Shamoon will reboot the infected system once the wiping functionality has been completed"; "WhisperGate can shutdown ... through ... ExitWindowsEx"

T1561.001Disk Content WipeEvidence1

APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR). APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable. CaddyWiper has the ability to destroy information about a physical drive's partitions including the MBR, GPT, and partition entries.

T1561.002Disk Structure WipeEvidence1
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
palo alto networks unit 42 blogNews
Mar 16, 2026
Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization

A highly modular wiper used in collaborative operations and distributed through abused legitimate RMM tools.

Read more
cso onlineNews
Mar 4, 2026
Iranian cyberattacks fail to materialize but threat remains acute | CSO Online

Destructive wiper malware family referenced as part of Iran-aligned wiper tooling.

Read more
mitre attack websiteNews
Oct 31, 2024
Inhibit System Recovery, Technique T1490 - Enterprise | MITRE ATT&CK®

Wiper malware that destroys the boot sector to inhibit system recovery.

Read more
mitre attack websiteNews
Mar 7, 2018
Disk Wipe: Disk Structure Wipe, Sub-technique T1561.002 - Enterprise | MITRE ATT&CK®

A destructive wiper that accesses PhysicalDrive0 to wipe the boot sector of a disk.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.