Threat Actor Profile
High APT
Description

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)

Confidence Score
90%
Known Aliases
Leafminer Raspite
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (17)
T1114.002 - Remote Email Collection
Collection
T1003.001 - LSASS Memory
Credential Access
T1003.004 - LSA Secrets
Credential Access
T1003.005 - Cached Domain Credentials
Credential Access
T1110.003 - Password Spraying
Credential Access
T1552.001 - Credentials In Files
Credential Access
T1555 - Credentials from Password Stores
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1027.010 - Command Obfuscation
Defense Evasion
T1055.013 - Process Doppelgänging
Defense Evasion
T1018 - Remote System Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1059.007 - JavaScript
Execution
T1189 - Drive-by Compromise
Initial Access
T1136.001 - Local Account
Persistence
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Leafminer', 'Raspite'],
 'created': '2018-10-17T00:14:20.652Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Leafminer](https://attack.mitre.org/groups/G0077) is an '
                'Iranian threat group that has targeted government '
                'organizations and business entities in the Middle East since '
                'at least early 2017. (Citation: Symantec Leafminer July 2018)',
 'external_references': [{'external_id': 'G0077',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0077'},
                         {'description': '(Citation: Dragos Raspite Aug 2018)',
                          'source_name': 'Raspite'},
                         {'description': '(Citation: Symantec Leafminer July '
                                         '2018)',
                          'source_name': 'Leafminer'},
                         {'description': 'Dragos, Inc. (2018, August 2). '
                                         'RASPITE. Retrieved November 26, '
                                         '2018.',
                          'source_name': 'Dragos Raspite Aug 2018',
                          'url': 'https://www.dragos.com/blog/20180802Raspite.html'},
                         {'description': 'Symantec Security Response. (2018, '
                                         'July 25). Leafminer: New Espionage '
                                         'Campaigns Targeting Middle Eastern '
                                         'Regions. Retrieved August 28, 2018.',
                          'source_name': 'Symantec Leafminer July 2018',
                          'url': 'https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east'}],
 'id': 'intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74',
 'modified': '2025-04-16T20:37:33.912Z',
 'name': 'Leafminer',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.4'}
Quick Actions
Related TTPs (17)
Remote Email Collection
Collection
LSASS Memory
Credential Access
LSA Secrets
Credential Access
Cached Domain Credentials
Credential Access
Password Spraying
Credential Access
View All 17 TTPs
Back to Threat Actors
Dashboard Home