MalwareUsed by 2 actors

Fantasy

Fantasy is a destructive wiper malware associated with the Iran-aligned threat actor Agrius. Reporting cited in the content states that Agrius deployed Fantasy in a 2022 supply-chain attack by compromising a trusted third-party Israeli software developer, affecting downstream victims across multiple sectors and beyond Israel. The content also states that Agrius used Fantasy alongside Apostle after exploiting publicly available one-day vulnerabilities in public-facing web applications and deploying web shells. In separate reporting, Stairwell identified a payload named Fantasy as one of two deployment mechanisms for the Goldbackdoor malware used in an APT37 campaign targeting journalists covering North Korea; in that context, Fantasy was a shellcode payload retrieved from Microsoft OneDrive and both deployment mechanisms relied on stealthy process injection. Because the provided content uses the same name for both an Agrius wiper and an APT37 Goldbackdoor deployment payload, the naming appears overloaded. High-confidence details directly stated in the content are that Fantasy has been described as a wiper used by Agrius in a supply-chain attack, and separately as a shellcode payload/deployment mechanism for Goldbackdoor in an APT37 espionage campaign.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT37

This payload is called “Fantasy,” and according to Stairwell, it’s the first of the two deploying mechanisms of Goldbackdoor, both relying on stealthy process injection.

via bleeping computerbleepingcomputer.com

Mustang Panda

Supply chain exploitation: The deployment of the Fantasy wiper represented a significant escalation in Agrius’s targeting methodology. By compromising a trusted third-party Israeli software developer, the threat actors executed a supply-chain attack that impacted downstream victims across multiple global verticals.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com

MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1133External Remote ServicesEvidence1

The second script downloads and executes a shellcode payload stored on Microsoft OneDrive, a legitimate cloud-based file hosting service... The malware utilizes legitimate cloud services for the exfiltration of files, with Stairwell noticing the abuse of both Google Drive and Microsoft OneDrive.

T1190Exploit Public-Facing ApplicationEvidence1

Agonizing Serpens frequently exploited publicly available one-day vulnerabilities in public-facing web applications to drop custom web shells.

T1195Supply Chain CompromiseEvidence2

By compromising a trusted third-party Israeli software developer, the threat actors executed a supply-chain attack that impacted downstream victims across multiple global verticals.

Execution

4 techniques

T1059Command and Scripting InterpreterEvidence1

Upon execution, a PowerShell script launches... The second script downloads and executes a shellcode payload stored on Microsoft OneDrive

T1059.001PowerShellEvidence1

Upon execution, a PowerShell script launches and opens a decoy document (doc) for distraction while decoding a second script in the background.

T1204User ExecutionEvidence1

Upon execution, a PowerShell script launches and opens a decoy document (doc) for distraction while decoding a second script in the background.

T1204.002Malicious FileEvidence1

The emails sent to the journalists contained a link to download ZIP archives that had LNK files... The LNK file (Windows shortcut) is masqueraded with a document icon... Upon execution, a PowerShell script launches

Persistence

2 techniques

T1133External Remote ServicesEvidence1

T1505.003Web ShellEvidence1

Agonizing Serpens frequently exploited publicly available one-day vulnerabilities in public-facing web applications to drop custom web shells.

Privilege Escalation

1 technique

T1055Process InjectionEvidence1

This payload is called “Fantasy,” and according to Stairwell, it’s the first of the two deploying mechanisms of Goldbackdoor, both relying on stealthy process injection.

Stealth

1 technique

T1055Process InjectionEvidence1

This payload is called “Fantasy,” and according to Stairwell, it’s the first of the two deploying mechanisms of Goldbackdoor, both relying on stealthy process injection.

Impact

1 technique

T1485Data DestructionEvidence2

Instead, they opted for rapid, recursive file-level destruction, overwriting targeted files with 4096-byte blocks of random data.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

palo alto networks unit 42 blogNews

Mar 16, 2026

Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization

A wiper used in a supply-chain attack after compromise of a trusted third-party software developer, impacting downstream victims across multiple sectors.

eset welivesecurity blogNews

Mar 12, 2026

Cyber fallout from the Iran war: What to have on your radar

A destructive wiper used in a supply-chain attack to damage targets across multiple sectors beyond Israel.

bleeping computerNews

Apr 25, 2022

North Korean hackers targeting journalists with novel malware

A shellcode payload used as a deployment mechanism for Goldbackdoor, downloaded from Microsoft OneDrive and executed via stealthy process injection.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.