Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Leafminer

🌐Leafminer

🌐 Leafminer is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 17 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0077) ↗
14Use cases
0Articles
17Techniques
0IOCs

About this actor (MITRE)

[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)

Known aliases

LeafminerRaspite

Top techniques

T1003.001 · LSASS MemoryT1003.004 · LSA SecretsT1003.005 · Cached Domain Credentials

All other tracked techniques

T1018 · Remote System DiscoveryT1027.010 · Command ObfuscationT1046 · Network Service DiscoveryT1055.013 · Process DoppelgängingT1059.007 · JavaScriptT1083 · File and Directory DiscoveryT1110.003 · Password SprayingT1114.002 · Remote Email CollectionT1136.001 · Local AccountT1189 · Drive-by CompromiseT1552.001 · Credentials In FilesT1555 · Credentials from Password StoresT1555.003 · Credentials from Web BrowsersT1588.002 · Tool

Detection use cases (14)

Leafminer (Raspite) MailSniper-style password spray against Exchange/OWA followed by successful logon AI · profile S Leafminer (Raspite) LaZagne / FireMalv credential harvesting on host AI · profile SΣ 1Password item exfiltration attempt MITRE match 1Password vault export attempted MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match Package-manager install hook spawns interpreter that beacons to non-registry host within 120s MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match