Threat Profile: Leafminer (G0077) – Iranian Espionage Group
- Suspected Origin
- Iran
- Motivation
- Espionage
- Aliases
- Raspite
- Target Sectors
- Government, Energy, Financial, Telecommunications, Transportation
- Associated Malware
- Imecab, Sorgu, LIFEBOAT, Total SMB BruteForcer, LaZagne, Mimikatz, MailSniper, PsExec
Overview
Leafminer, tracked by MITRE ATT&CK as G0077 and also known by the alias Raspite, is a persistent Iranian threat group that has been actively conducting cyber espionage operations since at least early 2017. Their primary objective is intelligence collection, specifically targeting governments, critical infrastructure, and business entities. The group’s operations appear to stem from Iran, a conclusion drawn from geopolitical targeting patterns, Farsi-language operational documents found on their command-and-control infrastructure, and technical characteristics that align with known Iranian threat actor behaviors. This isn’t a group driven by financial gain or destructive aims; instead, Leafminer executes systematic, patient, and persistent intelligence gathering campaigns.
Their typical targets span a broad range of sectors critical to national interests, including government organizations, energy infrastructure, financial institutions, telecommunications, and transportation. While their initial focus was predominantly within the Middle East, with observed activity in countries like Saudi Arabia, UAE, Egypt, Kuwait, Israel, Lebanon, and Azerbaijan, some reporting also indicates targeting of entities in the US, Europe, and East Asia, though operations against electric utility organizations were primarily noted in the US. A significant finding in their early activity was a Farsi-language list of 809 targets used for vulnerability scans, providing clear insight into their expansive targeting ambition.
Tactics & Techniques
Leafminer employs a diverse set of tactics and techniques for initial access, persistence, and data exfiltration, often blending custom malware with publicly available tools and proof-of-concept exploits.
For initial access, watering hole attacks are a signature method. The group compromises legitimate websites, injecting malicious JavaScript to steal SMB credential hashes from visiting government and energy employees. They’ve also been observed using spearphishing with lure documents that exploit common Office vulnerabilities, often leveraging macros. Web application exploitation is another entry vector, frequently preceded by reconnaissance using tools like the custom-developed LIFEBOAT scanner to identify vulnerable internet-facing systems. Brute-force attacks, specifically password spraying against RDP services and email servers using tools like Total SMB BruteForcer and THC Hydra, are also part of their arsenal for initial compromise. Furthermore, they conduct extensive vulnerability scans of network services to identify exploitable weaknesses.
Once inside a network, Leafminer focuses heavily on credential access. Beyond the initial SMB credential theft, they use tools like LaZagne and Mimikatz to harvest credentials from password stores. For defense evasion, they have been observed obfuscating JavaScript code and employing advanced techniques like Process Doppelgänging to deploy tools and evade security software. They’ve even modified publicly available tools, like developing “OrangeTeghal” as a rework of Mimikatz to bypass detection.
Their discovery efforts involve scanning network services for vulnerabilities, using Microsoft’s Sysinternals tools to gather detailed information about remote systems, and leveraging MailSniper to search Exchange server mailboxes for keywords and files on desktops. Lateral movement within compromised networks is facilitated by exploits such as EternalBlue from the leaked Fuzzbunch framework, and the use of tools like PsExec and THC Hydra for dictionary attacks against Exchange logins. Persistence is established through the deployment of multi-purpose Trojans like Imecab, which creates persistent remote access accounts, and by installing malicious services designed to beacon back to Leafminer-controlled infrastructure. The ultimate goal of these post-compromise activities is data collection, specifically targeting email data, files, and database servers.
Notable Campaigns
Leafminer’s operations came to public light in July 2018 when Symantec published research detailing their activities. At that time, Symantec described the group as “highly active,” having identified their tools deployed across at least 44 systems within the Middle East. A significant finding during this investigation was the discovery of a compromised web server hosted on an Azerbaijani government domain (e-qht.az), which served as a distribution point for Leafminer’s malware and tools. This server also contained log files from vulnerability scans and post-compromise tools. The Farsi-language list of 809 target organizations, categorized by geography and industry, provided a crucial understanding of the group’s expansive targeting strategy across the Middle East.
Associated Malware & Tools
Leafminer relies on a mix of custom-developed malware and readily available tools, demonstrating an adaptive approach to their operations.
Their custom arsenal includes:
- Total SMB BruteForcer: A custom tool used for password spraying attacks against RDP services and email servers.
- LIFEBOAT: A backdoor utilized for initial access and reconnaissance activities.
- Imecab: A multi-purpose Trojan capable of establishing remote access, harvesting credentials, and facilitating lateral movement, serving to set up persistent access accounts on victim machines.
- SoreFang (also known as Backdoor.Sorgu): Another custom backdoor providing remote access to compromised systems.
- OrangeTeghal: A modified version of the popular post-exploitation tool Mimikatz, re-engineered to evade detection.
- Custom exploit payloads developed for frameworks like Fuzzbunch, specifically targeting SMB vulnerabilities.
Publicly available tools frequently observed in Leafminer’s campaigns include:
- LaZagne and Mimikatz: Both used extensively for credential harvesting.
- PsExec: Employed for remote execution and lateral movement.
- MailSniper: Leveraged for collecting email data by searching Exchange server mailboxes for keywords and discovering files on victim desktops.
- Sobolsoft: Used to extract attachments from EML files.
- Microsoft Sysinternals tools: Employed for system information discovery.
- THC Hydra: Utilized for brute-force and dictionary attacks, particularly against Exchange logins.
- PhpSpy: A modified web shell found on their staging servers.
- Fuzzbunch framework: This leaked NSA exploit toolkit, particularly the EternalBlue exploit, has been adapted by Leafminer for lateral movement.
Current Status
Based on ongoing tracking by security organizations, Leafminer (G0077) remains an active threat actor. The MITRE ATT&CK entry for Leafminer was last modified on April 16, 2025, indicating that the group continues to be relevant and monitored by the cybersecurity community. While detailed public reports on specific recent campaigns beyond the 2018 disclosures are less frequent, the continued maintenance of their profile suggests that their methodologies and tools are still a concern for defenders, particularly those operating in or targeting the Middle East. Organizations in the government, energy, finance, telecommunications, and transportation sectors should remain vigilant against the sophisticated, espionage-focused tactics employed by Leafminer.
Related content
Akira Ransomware: A Persistent and Evolving Global Threat
Adversary ProfileCleaver (G0003): Iranian APT Targeting Critical Infrastructure
Adversary ProfileCarbanak Threat Profile: Financial Apex Predators
Adversary ProfileThreat Actor Profile: Dragonfly (G0035) – Russia’s Critical Infrastructure Espionage Group
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call