Leafminer | Threat Actor Profile

An Iranian-attributed espionage group documented by Symantec in 2018, notable for the extraordinary scale of its targeting ambitions versus its modest technical capabilities. While peer APT groups typically focus on narrow, high-value target sets, Leafminer had an identified list of over 800 organizations across the Middle East spanning government, finance, petrochemical, and energy sectors. Despite this ambition, researchers characterized the group's capabilities as average at best — a conclusion reinforced by a major operational security failure in which the group left its entire staging server publicly accessible, exposing its complete arsenal of tools and a Farsi-language target list to Symantec researchers.

attributed origin Iran (state-suspected; not formally confirmed)

suspected sponsor Iranian government (possible); independent with Iranian ties

first observed Early 2017; formally documented July 2018

primary motivation Espionage — email data, files, database access; potential ICS pre-positioning

primary targets Government, finance, petrochemical, energy — Middle East (809 confirmed scan targets)

confirmed infections 44 systems confirmed; dozens of organizations actively attacked

mitre att&ck group G0077

target regions Saudi Arabia, UAE, Kuwait, Israel, Lebanon, Qatar, Bahrain, Egypt, Afghanistan; US (electric utility)

threat level High (broad targeting scope; ICS interest; potential state mandate)

Overview

Leafminer is an Iranian-attributed cyber espionage group that Symantec formally documented in July 2018 after discovering its staging server had been left publicly accessible — an operational security failure that inadvertently exposed the group's entire toolkit, its Farsi-language target list of 809 organizations, and log files that allowed Symantec researchers to reconstruct the campaign's scope and attribution chain. Dragos tracks the same actor as RASPITE and identified a separate targeting thread focused on industrial control systems in the US electric utility sector.

The group has been active since at least early 2017 and significantly ramped up its operational tempo between late 2017 and mid-2018. Despite an ambitious goal of scanning hundreds of regional organizations, Symantec characterized Leafminer's technical capabilities as "average at best" compared to other APT actors. The group does not develop sophisticated novel capabilities — instead it actively follows the offensive security research community and adapts disclosed techniques, tools, and exploits from other actors for its own operations.

Iranian origin is supported by several converging indicators: the target list was written in Farsi; all targeted organizations are outside Iran and have documented political or economic tension with the country; Iran is the consistent common denominator across target geographies; and the web shell used to configure the group's arsenal server was authored by the handle "MagicCoder," which links to the Iranian hacking forum Ashiyane and the Iranian hacker group Sun Army. Symantec stopped short of formally attributing the group to the Iranian government, but noted state sponsorship was possible. Symantec's technical director Vikram Thakur observed: "All the target organizations have some kind of political discourse ongoing with Iran, and Iran is actually missing from the list themselves."

The RASPITE designation by Dragos introduced the additional dimension of ICS-oriented targeting. Dragos documented Leafminer/RASPITE conducting initial access operations against US electric utility organizations, using the same watering hole and SMB credential harvesting methodology it deployed in Middle East campaigns. Dragos was careful to note that while the group was targeting ICS-operating entities, it had not demonstrated ICS-specific destructive capability at time of reporting — a distinction with significant defensive implications.

opsec failure — staging server exposure

Leafminer left its arsenal staging server (hosted at the compromised domain e-qht.az) publicly accessible via a web shell. This single failure gave Symantec complete visibility into the group's tool library, the Farsi-language target list of 809 organizations, internal log files revealing victim telemetry, and infrastructure that enabled correlation of the group's malware detections across the region. The MagicCoder web shell author handle, linking to Iranian forums, provided the attribution thread that connected the group to Iran.

Target Profile

Leafminer's targeting scope is what primarily distinguishes it from other Iranian APT actors. Where groups like APT33 or APT34 maintain curated target lists, Leafminer's 809-organization scan list suggests broad opportunistic reconnaissance followed by selective active exploitation. Approximately half of all targets fell across three verticals.

Government and public sector: National and local government organizations across Saudi Arabia, Kuwait, UAE, Qatar, Bahrain, and Israel. Leafminer compromised at least one Lebanese intelligence agency website, infecting it with malware to target local visitors — a watering hole operation against an intelligence target.
Financial institutions: Banks and financial services firms across the Gulf region. Leafminer's post-compromise toolkit indicated interest in email data and database content, suggesting credential and financial intelligence collection.
Petrochemical and energy: Oil, gas, and petrochemical organizations are a consistent priority. The sector is economically and geopolitically sensitive across all Gulf states and represents Iran's primary economic competitor and target of regional rivalry.
Telecommunications and transportation: Additional sectors on the target list, consistent with broad signals intelligence collection rather than a narrow operational objective.
US electric utility sector (via RASPITE designation): Dragos documented Leafminer/RASPITE conducting initial access operations at US electric utilities — a significant geographic expansion and sector shift that introduced ICS concerns. Dragos explicitly noted the group had not demonstrated ICS-specific destructive capability, but characterized the operations as consistent with pre-positioning for potential future ICS events.

Tactics, Techniques & Procedures

Leafminer's operational approach reflects a group actively studying and adapting the work of others. Its TTPs span three documented initial access vectors, a multi-stage post-compromise toolkit, and evasion techniques borrowed from the security research community.

mitre id	technique	description
T1189	Drive-by Compromise — Watering Hole	Leafminer compromised websites frequented by its target organizations and injected content that prompted SMB connections, harvesting Windows NTLMv2 credentials from visiting employees. This technique was directly borrowed from Dragonfly's 2017 campaigns. A Lebanese intelligence agency website was confirmed compromised and used as a watering hole.
T1190	Exploit Public-Facing Application	Vulnerability scans were conducted against 809 organizations' internet-facing network services. The group scanned for Heartbleed (CVE-2014-0160) using a custom Python script and adapted EternalBlue (from the Shadow Brokers' Fuzzbunch leak) for SMB exploitation against internal staging servers after initial network access.
T1110	Brute Force — Password Spraying	Dictionary and brute-force attacks against network service logins (including RDP, VPN, and email services) served as a third initial access vector alongside watering holes and vulnerability scanning. The group used a tool called Total SMB BruteForcer for internal lateral movement password spraying after gaining initial access.
T1055.013	Process Injection — Process Doppelgänging	Leafminer adopted Process Doppelgänging — a fileless code injection technique first publicly disclosed at Black Hat Europe 2017 — to inject payloads including a modified Mimikatz into the memory of legitimate Windows processes. The technique exploits NTFS transactions and the Windows process loader to execute malicious code without writing files to disk, defeating file-based AV detection.
T1543.003	Create or Modify System Process: Windows Service	Both Trojan.Imecab and Backdoor.Sorgu install themselves as Windows services for persistence. Imecab specifically installs as a service to ensure its hardcoded-password guest account remains active across reboots. RASPITE-observed campaigns deployed malicious service install scripts that beaconed back to attacker infrastructure for remote access.
T1021.002	Remote Services: SMB/Windows Admin Shares	EternalBlue is used from attacker-controlled staging servers for lateral movement within networks after initial access. The group embedded SMB connection prompts in watering hole pages and used Total SMB BruteForcer for internal credential spraying against SMB targets.
T1003	OS Credential Dumping	A modified and rebranded version of Mimikatz was included in the group's toolkit for credential harvesting from compromised systems. Deployment was facilitated via the Process Doppelgänging injection method rather than direct execution, evading behavioral detection.
T1114	Email Collection	Post-compromise activity consistently targeted email servers and data. The group's interest in email content across government, financial, and petrochemical targets suggests signals intelligence collection as the primary objective of confirmed intrusions.

Known Campaigns

Middle East Broad Reconnaissance and Espionage Campaign Early 2017 — Mid-2018

Leafminer's primary documented campaign, spanning at least 18 months before Symantec's public disclosure in July 2018. The group conducted vulnerability scans against 809 organizations across Saudi Arabia, UAE, Kuwait, Israel, Qatar, Bahrain, Egypt, and Afghanistan, with confirmed malware infections on 44 systems across Saudi Arabia, Kuwait, Lebanon, and Israel. Watering hole attacks compromised multiple websites — including a Lebanese intelligence agency site — to harvest Windows credentials from visitors. The campaign sought email data, files, and database content across government, financial, and petrochemical targets.

Lebanese Intelligence Agency Watering Hole 2017 — 2018

Leafminer compromised a website belonging to a Lebanese intelligence organization and infected it with malware designed to infiltrate the systems of visiting users. This operation is notable both for the sensitivity of the target — an intelligence service — and for the watering hole technique, which the group directly copied from Dragonfly's 2017 campaigns. The compromise allowed Leafminer to harvest Windows credentials from employees and contractors visiting the site.

US Electric Utility Initial Access Operations (RASPITE) 2018

Dragos documented Leafminer/RASPITE conducting strategic website compromise operations against US electric utility organizations, embedding SMB connection prompts to harvest Windows credentials from utility sector employees. The group then deployed malicious service install scripts to establish persistent remote access on compromised machines beaconing to RASPITE-controlled infrastructure. Dragos noted that while the group was clearly targeting ICS-operating entities, it had not demonstrated destructive ICS capability — but characterized the activity as consistent with preparing for potential future ICS operations.

Arsenal Server Exposure — The OPSEC Failure That Defined the Group 2018

The defining event in Leafminer's documented history. The group's staging server at the compromised domain e-qht.az was left publicly accessible via a PhpSpy-based web shell authored by the MagicCoder handle. Symantec researchers discovered the server while investigating malware detections, finding the group's complete tool library, internal log files, and the 809-organization Farsi-language target list. Researching MagicCoder led to the Iranian hacking forum Ashiyane and the Sun Army hacker group, providing attribution indicators. The exposure gave Symantec complete visibility into the group's operations without requiring any active countermeasures.

Tools & Infrastructure

Leafminer's tool library blends custom-developed malware with heavily borrowed public tools and exploits. The group's preference for adapting others' work is consistent across both its malware and its operational techniques.

Trojan.Imecab: Custom malware developed by Leafminer. Creates a persistent remote access account on the target machine with a hardcoded password. Installs as a Windows service (sometimes using the filename guester.exe, referencing its "guest account" functionality) to maintain access across reboots. Written to require the .NET framework, which the group installs on compromised machines if not present.
Backdoor.Sorgu: Custom backdoor providing general remote access to compromised machines. Installed as a Windows service via a shell command script. Provides operators a persistent channel for command-and-control and file operations.
Modified Mimikatz: A rebranded version of the standard Mimikatz credential dumping tool, deployed via Process Doppelgänging to evade behavioral detection. Used to harvest Windows credentials from compromised systems.
Fuzzbunch / EternalBlue (Shadow Brokers): The group adopted the Fuzzbunch framework from the 2017 Shadow Brokers leak and developed custom exploit payloads for its SMB vulnerability targets. EternalBlue is used for lateral movement between systems within already-compromised networks. Custom reflective loader DLLs were developed as payloads for the Fuzzbunch framework.
Total SMB BruteForcer: A dedicated tool used for internal password spraying against SMB services following initial network access. Documented by MITRE ATT&CK as a confirmed Leafminer tool.
PhpSpy / MagicCoder Web Shell: The web shell used to manage the group's compromised staging server. A modified version of the public PhpSpy backdoor, authored by the MagicCoder handle linking to Iranian hacking forums. Its public accessibility on the staging server was the primary OPSEC failure that enabled Symantec's full campaign reconstruction.
Python Heartbleed Scanner: A custom Python script used to scan for systems vulnerable to CVE-2014-0160 (Heartbleed), demonstrating the group's practice of deploying known vulnerability checks across its target list.
Infrastructure: Compromised third-party web servers used both for watering hole attacks and as staging/distribution infrastructure. The e-qht.az domain was the primary documented staging server. RASPITE-attributed campaigns used dedicated attacker-controlled infrastructure for C2 beacon reception.

Indicators of Compromise

Indicators from Symantec's July 2018 Leafminer investigation. Leafminer rotates infrastructure across compromised third-party servers. Cross-reference with live Symantec (Broadcom) and Dragos threat intelligence feeds for current operational indicators.

infrastructure note

Leafminer relies primarily on compromised third-party web servers for staging and distribution rather than purpose-built attacker infrastructure. This makes domain-based blocking less effective — the malicious activity will appear to originate from legitimate compromised sites. Network-level monitoring for the behavioral patterns below is more reliable for detection.

indicators of compromise — behavioral and structural (2018)

staging domain e-qht.az — compromised domain hosting Leafminer arsenal, payloads, and tool distribution server (publicly accessible via PhpSpy web shell at time of discovery)

web shell Modified PhpSpy backdoor authored by "MagicCoder" handle — linked to Ashiyane Iranian hacking forum and Sun Army hacker group; domain magiccoder.ir (deleted)

malware Trojan.Imecab — Windows service persistence; hardcoded-password guest account creation; .NET dependency; filename variants include guester.exe

malware Backdoor.Sorgu — Windows service backdoor installed via shell command script; provides remote access channel

behavioral Outbound SMB connection attempts triggered from web browser on visiting a compromised website — Leafminer watering hole credential harvesting indicator

behavioral Process Doppelgänging injection: NTFS transaction abuse creating suspended processes with replaced memory — used to deploy Mimikatz without file writes

behavioral .NET framework installation on compromised machines via hosted Microsoft .NET Framework 2.0 SP2 setup executable — indicator of Leafminer tooling preparation

cve CVE-2014-0160 (Heartbleed) scanning — Python-based scanner hosted on arsenal server; CVE-2017-0144 (EternalBlue) used for lateral SMB movement

Mitigation & Defense

Leafminer's reliance on known, publicly available techniques means that standard defensive controls — if properly implemented — are effective against its documented TTPs. Organizations in the target verticals (government, finance, energy, petrochemical) in the Middle East and US electric utility operators should treat Leafminer/RASPITE as an active risk.

Patch Known Vulnerabilities — Especially Legacy CVEs: Leafminer actively scans for Heartbleed (CVE-2014-0160, 2014) and uses EternalBlue (CVE-2017-0144). Both are years old and fully patched. Audit your environment for any remaining unpatched instances. Organizations running legacy systems that cannot be patched should isolate them from internet-exposed services. A basic vulnerability scan of internet-facing services would detect and close these attack surfaces.
Block Outbound SMB at the Network Perimeter: Leafminer's watering hole technique depends on victims' browsers making outbound SMB connections to attacker-controlled infrastructure when visiting compromised sites. Blocking outbound SMB (TCP 445, UDP 137/138, TCP 139) at the network boundary eliminates this initial credential harvesting vector entirely.
Restrict and Monitor NTLMv2 Authentication: The watering hole and RASPITE methods harvest Windows NTLMv2 hashes via forced SMB connections. Where possible, disable NTLMv2 in favor of Kerberos. At minimum, configure systems to send only NTLMv2 responses (not LM or NTLMv1). Monitor for NTLMv2 authentication events involving unexpected external IP addresses.
Disable Unnecessary Windows Services and Monitor Service Creation: Leafminer's custom malware (Imecab, Sorgu) and RASPITE's malicious install scripts persist via Windows service creation. Alert on new Windows service installations, particularly those installed via command line or shell scripts outside of normal software deployment cycles.
Process Injection Detection: Process Doppelgänging exploits NTFS transactions to inject code into legitimate processes without file writes. Behavioral EDR solutions that monitor process memory manipulation — specifically the creation of suspended processes followed by memory modification before resumption — can detect this technique even when file-based AV is bypassed. Standard AV is not sufficient against this evasion method.
Web Content Filtering and Safe Browsing: Watering hole attacks against employees visiting industry-specific websites are a primary Leafminer initial access vector. DNS filtering and web proxy solutions that block known malicious or compromised sites reduce exposure. Disable unnecessary network protocols (SMB, WebDAV) for browser processes via application firewall policies where feasible.
ICS Network Segmentation (for US Utilities): RASPITE has been documented conducting initial access operations in US electric utility IT networks with potential ICS pre-positioning goals. Rigorous IT/OT network segmentation, with strict controls on any traffic crossing the boundary, is the foundational control. Monitor for reconnaissance activity (port scans, service enumeration) against ICS-adjacent IT systems.
Credential Hygiene and Password Length: Leafminer uses brute-force and dictionary attacks as a third initial access vector. Enforce minimum 14-character passwords for all network services. Implement account lockout policies on internet-facing services. Disable default or generic credentials on all network-accessible systems.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile — leafminer — last updated 2025-03-27