Leafminer
Leafminer, also referred to in the provided content as RASPITE, is a threat actor active since at least 2017. The content states that Leafminer has targeted the email accounts of individuals in government and businesses in the Middle East. Separately, Dragos identified RASPITE in 2018 and described its activity as focused on initial access operations in the electric utility sector, including targeting electric utilities in the United States and government entities in the Middle East. Although associated with organizations that have ICS environments, the content explicitly states that RASPITE had not demonstrated ICS-specific capability and that no new RASPITE activity had been identified since mid-2018. The content also notes RASPITE as one of the known ICS-targeting activity groups that used watering holes for initial access. The provided content attributes to Leafminer the use of JavaScript code to infect victims, scanning of network services to search for vulnerabilities, use of Microsoft Sysinternals tools to gather detailed information about remote systems, and credential theft activity using tools including LaZagne. It also states that Leafminer obtained and used LaZagne, Mimikatz, PsExec, and MailSniper; used MailSniper to search for files on the desktop; used Sobolsoft to extract attachments from EML files; and used a tool called Imecab to establish a persistent remote access account on victim machines. Known aliases in the provided content are Leafminer and RASPITE.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
34 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
4 malware families attributed to this actor across reporting.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.
Referenced as a threat actor associated with the command obfuscation technique using environment variable substrings in Windows command lines.
Referenced in the detection annotations as a threat actor associated with reconnaissance/exploitation behavior relevant to Netspy-style network scanning.
Listed as a threat actor associated with the MMC/GrimResource detection analytic.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.