Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. [1]

ID: G0077
Version: 2.0

Associated Group Descriptions


Techniques Used

EnterpriseT1110Brute ForceLeafminer used a tool called BruteForcer to perform a brute force attack.[1]
EnterpriseT1136Create AccountLeafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[1]
EnterpriseT1003Credential DumpingLeafminer used several tools for retrieving login and password information.[1]
EnterpriseT1189Drive-by CompromiseLeafminer has infected victims using watering holes.[1]
EnterpriseT1114Email CollectionLeafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[1]
EnterpriseT1083File and Directory DiscoveryLeafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.[1]
EnterpriseT1046Network Service ScanningLeafminer scanned network services to search for vulnerabilities in the victim system.[1]
EnterpriseT1027Obfuscated Files or InformationLeafminer obfuscated scripts that were used on victim machines.[1]
EnterpriseT1108Redundant AccessLeafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[1]
EnterpriseT1018Remote System DiscoveryLeafminer used Microsoft’s Sysinternals tools to gather detailed information about remote systems.[1]
EnterpriseT1064ScriptingLeafminer infected victims using JavaScript code.[1]


S0349LaZagne[1]Credential Dumping, Credentials in Files
S0002Mimikatz[1]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029PsExec[1]Service Execution, Windows Admin Shares