Leafminer

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
Leafminer is a highly active threat actor group, primarily targeting organizations in the Middle East. The group employs various intrusion methods such as watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts. Leafminer's arsenal includes custom tools like a rebranded version of Mimikatz and Total SMB BruteForcer for lateral movement within infiltrated systems. Their operations overlap significantly with RASPITE and have been linked to numerous attacks in the Middle East, as detailed in a recent report by Symantec. During an investigation into Leafminer's activities, breakthrough discoveries were made that helped identify the toolkit used for intrusion, lateral movement, and exfiltration. Evidence from telemetry and log files hosted publicly on the attacker's arsenal server was used to assemble a targeting profile. The compromised web server used to store Leafminer’s arsenal hosted several public proof-of-concept exploits and exploitation tools. Furthermore, commands found in a readme text stored in a ZIP archive along with the hacktool THC Hydra represented online dictionary attacks on Microsoft Exchange and Remote Desktop Protocol services of regional government servers in Saudi Arabia. Despite their activity, Leafminer exhibits signs of inexperience and poor operational security, evident in their eagerness to learn from others. A compromised web server on the domain e-qht.az was identified as a distribution point for Leafminer's malware, payloads, and tools. Customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence service have received intelligence detailing the characteristics of the Leafminer cyber espionage group and methods for detecting and thwarting their activities. Notably, Leafminer has also been tracking developments in the world of cybersecurity.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Leafminer Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions
MITRE
a year ago
RASPITE | Dragos