{ "id": "6c886f37-776b-4706-92d5-f5cb10186d2a", "created_at": "2026-04-06T00:14:46.271652Z", "updated_at": "2026-04-10T03:36:27.573578Z", "deleted_at": null, "sha1_hash": "6fe9b74cc2aa8aa7d37283456094cc1a4895e2ab", "title": "Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73515, "plain_text": "Leafminer: New Espionage Campaigns Targeting Middle Eastern\r\nRegions\r\nBy About the Author\r\nArchived: 2026-04-05 15:28:55 UTC\r\nSymantec has uncovered the operations of a threat actor named Leafminer that is targeting a broad list of\r\ngovernment organizations and business verticals in various regions in the Middle East since at least early 2017.\r\nThe group tends to adapt publicly available techniques and tools for their attacks and experiments with published\r\nproof-of-concept exploits. Leafminer attempts to infiltrate target networks through various means of intrusion:\r\nwatering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login\r\nattempts. The actor’s post-compromise toolkit suggests that the group is looking for email data, files, and database\r\nservers on compromised target systems.\r\nFigure 1. Leafminer targeting organizations in Middle East region\r\nFigure 1. Leafminer targeting organizations in Middle East region\r\nLeafminer’s arsenal\r\nDuring our investigation, there was a breakthrough discovery that helped connect Leafminer to a number of\r\nattacks observed on systems in the Middle East and identify the toolkit used in the group’s efforts of intrusion,\r\nlateral movement, and exfiltration. The download URL for a malware payload used in one of the attacks lead to\r\nthe identification of a compromised web server on the domain e-qht.az that had been used to distribute\r\nLeafminer’s arsenal of malware, payloads, and tools within the group and make them available for download from\r\nvictim machines.\r\nAs of early June 2018, the server hosted 112 files in a subdirectory that could be accessed through a public web\r\nshell planted by the attackers. In addition to malware and tools, the served files also included uploads of log files\r\nseemingly originating from vulnerability scans and post-compromise tools.\r\nThe web shell is a modification of the PhpSpy backdoor and references the author MagicCoder while linking to\r\nthe (deleted) domain magiccoder.ir. Researching the hacker handle MagicCoder results in references to the Iranian\r\nhacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army.\r\nTargets\r\nDuring the investigation of the Leafminer group, we were able to assemble a targeting profile from different\r\nsources including telemetry and log files hosted publicly on the attacker’s arsenal server.\r\nOne interesting source of target information discovered during the Leafminer investigation was a list of\r\n809 targets used by the attackers for vulnerability scans.\r\nhttps://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east\r\nPage 1 of 7\n\nSymantec detection telemetry shows malware and custom tools used by Leafminer on 44 systems across four\r\nregions in the Middle East.\r\nFigure 2. Infected computers per region\r\nFigure 2. Infected computers per region\r\nOne interesting source of target information discovered during the Leafminer investigation was a list of 809\r\ntargets used by the attackers for vulnerability scans. The list is written in the Iranian language Farsi and groups\r\neach entry with organization of interest by geography and industry. Figure 3 shows a breakdown of the industry\r\nverticals. Targeted regions included in the list are Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Bahrain,\r\nEgypt, Israel, and Afghanistan.\r\nFigure 3. Industry verticals targeted by Leafminer\r\nFigure 3. Industry verticals targeted by Leafminer\r\nIntrusion\r\nWe observed three main techniques used by Leafminer for initial intrusion of target networks:\r\nCompromised web servers used for watering hole attacks\r\nScans/exploits for vulnerabilities of network services\r\nDictionary attacks against logins of network services\r\nThere are indicators that suggest the attackers have also employed email phishing with malicious attachment files.\r\nHowever, this was not directly observed or captured.\r\nWatering hole SMB credential theft\r\nOur investigation of Leafminer started with the discovery of JavaScript code on several compromised websites in\r\nthe Middle East. The obfuscated code was planted by the attackers to steal SMB credential hashes that could\r\nsubsequently be brute-forced offline.\r\nWhen executing the code, the browser creates an invisible image tag and sets the URL to an attack server using\r\nthe file:// protocol scheme. On Windows machines, this triggers a request to a remote server via the Samba\r\nnetworking protocol (SMB) that also transmits the user’s login NTLM hash. These hashes can be cracked to\r\nretrieve the original login password by methods of brute-force, dictionary, or rainbow table lookups.\r\nTable 1 shows an overview of the compromised websites used as watering holes, infected JavaScript URLs, and\r\nSMB URLs used to collect NTLM hashes.\r\nTable 1. Watering hole website details\r\nTable 1. Watering hole website details\r\nInterestingly, the same technique was also observed in watering hole attacks by the threat actor Dragonfly in 2017\r\nas reported by Symantec.\r\nhttps://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east\r\nPage 2 of 7\n\nVulnerability scans and exploitation\r\nAs previously mentioned, Leafminer seems to be actively following developments and publications of the\r\noffensive security community when selecting their toolkit. This became especially apparent when analyzing the\r\ngroup’s techniques and tools for vulnerability scans and exploitation. The compromised web server used to store\r\nLeafminer’s arsenal hosted several public proof-of-concept exploits and exploitation tools.\r\nThis included the Fuzzbunch framework that was part of an infamous leak of exploits and tools by the Shadow\r\nBrokers in April 2017. Leafminer has developed exploit payloads for this framework (Table 2) that deliver custom\r\nmalware through attacks against SMB vulnerabilities described by Microsoft. The EternalBlue exploit from the\r\nframework received worldwide attention after being used in the ransomware campaigns WannaCry in May and\r\nPetya/NotPetya in June 2017. The Leafminer operators use EternalBlue to attempt lateral movement within target\r\nnetworks from compromised staging servers.\r\nSymantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability (CVE-2014-0160) from an\r\nattacker-controlled IP address. Furthermore, the Leafminer arsenal server hosted a Python script to scan for this\r\nvulnerability.\r\nDictionary attacks\r\nAnother intrusion approach used by Leafminer seems a lot less sophisticated than the previously described\r\nmethods but can be just as effective: using specific hacktools to guess the login passwords for services exposed by\r\na targeted system. This type of attack was observed both via dedicated servers set up by Leafminer as well as\r\nstaging servers compromised by the group.\r\nCommands found in a readme text that was stored in a ZIP archive together with the hacktool THC Hydra in\r\nLeafminer’s tool arsenal represent online dictionary attacks on Microsoft Exchange and Remote Desktop Protocol\r\nservices of regional government servers in Saudi Arabia. \"Online\" in this case refers to the attacker using the\r\nprotocol of the targeted network service to quickly run through many password guesses.\r\nCustom malware\r\nSymantec identified two strains of custom malware used by the Leafminer group: Trojan.Imecab and\r\nBackdoor.Sorgu. Directly connected to this malware are several sets of reflective loader DLLs used as droppers or\r\nto execute specific commands on a compromised system.\r\nThe development of custom malware by Leafminer as well as some of the tools used for lateral movement show a\r\npreference for the .NET framework. We also observed that the attackers would download and install the .NET\r\nframework on compromised machines, supposedly in the situation that an operator would have remote access to\r\nthe system but required .NET to run Leafminer's custom tools. To this end, the command and control (C\u0026C)\r\nserver operated by the group hosted the legitimate setup executable for Microsoft .NET Framework 2.0 SP2.\r\nBackdoor.Sorgu\r\nhttps://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east\r\nPage 3 of 7\n\nBackdoor.Sorgu is used by the attackers to provide remote access to the infected machine. The backdoor is\r\ninstalled as a service in the Windows system through a shell command script.\r\nTrojan.Imecab\r\nThe purpose of Trojan.Imecab is to set up a persistent remote access account on the target machine with a\r\nhardcoded password. Variants of the malware were also observed with the filename guester.exe which likely refers\r\nto the functionality of adding a powerful guest account to the system.\r\nThe malware installs itself in the system as a Windows service to achieve persistence and ensure that the guest\r\naccount remains available to the attacker.\r\nReflective loader DLLs\r\nTable 2 gives an overview of the reflective loader DLLs and their purpose:\r\nTable 2. Reflective loader DLLs\r\nTable 2. Reflective loader DLLs\r\nThese DLLs were likely used as payloads for exploit shellcode of the Fuzzbunch framework, which is also\r\nevidenced by the embedded PDB strings.\r\nLateral movement and exfiltration\r\nThe discovery of malware and hacktools hosted on e-qht.az allowed us to correlate detection telemetry of potential\r\nLeafminer intrusions with tools made available for download to the group’s operators. Understanding the purpose\r\nof the tools used by the attacker gives a unique insight into the tactics and procedures used by Leafminer after the\r\ninitial compromise of a target network.\r\nTable 3 outlines the observed toolset for lateral movement, information gathering, and exfiltration.\r\nTable 3. Toolset for lateral movement, information gathering, and exfiltration\r\nTable 3. Toolset for lateral movement, information gathering, and exfiltration\r\nWe discovered a number of servers compromised by Leafminer that were used as staging systems to gain a\r\nfoothold in the targeted network and execute attacks on intranet resources. For example, the use of THC Hydra to\r\nexecute dictionary attacks against Exchange logins was observed both in initial intrusion attempts as well as in\r\nlateral attacks from staging systems.\r\nFigure 4 shows a screenshot of the Total SMB BruteForcer hacktool used by Leafminer for lateral movement. The\r\ntool requires input files with lists of IPs, users, and passwords respectively.\r\nFigure 4. Total SMB BruteForcer\r\nFigure 4. Total SMB BruteForcer\r\nThe arsenal server hosted five text files that could be used by Leafminer operators as input for dictionary attacks\r\nusing Total SMB Bruteforcer and THC Hydra.\r\nhttps://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east\r\nPage 4 of 7\n\nOrangeTeghal and Process Doppelgänging\r\nOne of the custom tools used by the Leafminer group is a rebranded version of the widespread post-exploitation\r\ntool Mimikatz.\r\nFigure 5. OrangeTeghal\r\nFigure 5. OrangeTeghal\r\nWhile the logo and commands are identical to the original hacktool, the name was changed to OrangeTeghal. To\r\nevade security software while deploying this tool on compromised systems, the attackers use a technique revealed\r\nat Black Hat EU ‘17 in the presentation Lost in Transaction: Process Doppelgänging. The malware file\r\norange64.exe is a .NET executable that drops and executes a PowerShell script with basic obfuscation. After\r\ndeobfuscation, this script closely resembles the code published by the authors of the technique. Process\r\nDoppelgänging uses NTFS transactions to modify the executable of a seemingly benign process that is suspended\r\nright after creation.\r\nAmbitions blunted by inexperience\r\nLeafminer is a highly active group, responsible for targeting a range of organizations across the Middle East. The\r\ngroup appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used\r\nby more advanced threat actors.\r\nOn a broad level, it has followed the recent trend among targeted attack groups for “living off the land”—using a\r\nmixture of publicly available tools alongside its own custom malware. More specifically, it mimicked Dragonfly’s\r\nuse of a watering hole to harvest network credentials. It also capitalized on the Shadow Brokers release of\r\nInception Framework tools, making use of the leaked Fuzzbunch framework by developing its own exploit\r\npayloads for it.\r\nLeafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a\r\nconclusion that’s supported by the group’s poor operational security.\r\nLeafminer has also been tracking developments in the world of cyber security. After the Heartbleed bug was\r\ndisclosed it began scanning for instances of the vulnerability. It also utilized Process Doppelgänging, a detection\r\nevasion technique first discussed at the Black Hat EU conference last year.\r\nHowever, Leafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a\r\nconclusion that’s supported by the group’s poor operational security. It made a major blunder in leaving a staging\r\nserver publicly accessible, exposing the group’s entire arsenal of tools. That one misstep provided us with a\r\nvaluable trove of intelligence to help us better defend our customers against further Leafminer attacks.\r\nProtection\r\nSymantec has the following protections in place to protect customers against Leafminer attacks:\r\nFile-based protection\r\nhttps://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east\r\nPage 5 of 7\n\nBackdoor.Sorgu\r\nTrojan.Imecab\r\nThreat intelligence\r\nCustomers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have\r\nreceived intelligence that details the characteristics of the Leafminer cyber espionage group and methods of\r\ndetecting and thwarting activities of this adversary.\r\nBest Practices\r\nImportant passwords, such as those with high privileges, should be at least 8-10 characters long (and\r\npreferably longer) and include a mixture of letters and numbers. Encourage users to avoid reusing the same\r\npasswords on multiple websites and sharing passwords with others should be forbidden. Delete unused\r\ncredentials and profiles and limit the number of administrative-level profiles created. Employ two-factor\r\nauthentication (such as Symantec VIP) to provide an additional layer of security, preventing any stolen\r\ncredentials from being used by attackers.\r\nEmphasize multiple, overlapping, and mutually supportive defensive systems to guard against single point\r\nfailures in any specific technology or protection method. This should include the deployment of regularly\r\nupdated firewalls as well as gateway antivirus, intrusion detection or protection systems (IPS), website\r\nvulnerability with malware protection, and web security gateway solutions throughout the network.\r\nImplement and enforce a security policy whereby any sensitive data is encrypted at rest and in transit.\r\nEnsure that customer data is encrypted as well. This can help mitigate the damage of potential data leaks\r\nfrom within an organization.\r\nImplement SMB egress traffic filtering on perimeter devices to prevent SMB traffic leaving your network\r\nonto the internet.\r\nEducate employees on the dangers posed by spear-phishing emails, including exercising caution around\r\nemails from unfamiliar sources and opening attachments that haven’t been solicited. A full protection stack\r\nhelps to defend against emailed threats, including Symantec Email Security.cloud, which can block email-borne threats, and Symantec Endpoint Protection, which can block malware on the endpoint. Symantec\r\nMessaging Gateway’s Disarm technology can also protect computers from threats by removing malicious\r\ncontent from attached documents before they even reach the user.\r\nUnderstanding the tools, techniques, and procedures (TTP) of adversaries through services like DeepSight\r\nAdversary Intelligence fuels effective defense from advanced adversaries like Leafminer. Beyond technical\r\nunderstanding of the group, strategic intelligence that informs the motivation, capability, and likely next\r\nmoves of the adversaries ensures more timely and effective decisions in proactively safeguarding your\r\nenvironment from these threats.\r\nIOCs\r\nSymantec has also developed a list of Indicators of Compromise to assist in identifying Leafminer activity:\r\nhttps://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east\r\nPage 6 of 7\n\nSource: https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east\r\nhttps://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "report_names": [ "leafminer-espionage-middle-east" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "81d49904-579d-45b3-ace2-1fdf0a713bc4", "created_at": "2022-10-25T15:50:23.331457Z", "updated_at": "2026-04-10T02:00:05.291098Z", "deleted_at": null, "main_name": "Leafminer", "aliases": [ "Leafminer", "Raspite" ], "source_name": "MITRE:Leafminer", "tools": [ "LaZagne", "Mimikatz", "MailSniper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "552eeef7-4a19-44de-9147-db8893c115ef", "created_at": "2023-01-06T13:46:38.598788Z", "updated_at": "2026-04-10T02:00:03.034846Z", "deleted_at": null, "main_name": "RASPITE", "aliases": [ "LeafMiner", "Raspite" ], "source_name": "MISPGALAXY:RASPITE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "32c8c1a1-ae5c-4a05-a95d-2e970a46cd1e", "created_at": "2022-10-25T16:07:23.777999Z", "updated_at": "2026-04-10T02:00:04.747552Z", "deleted_at": null, "main_name": "Leafminer", "aliases": [ "Flash Kitten", "G0077", "Leafminer", "Raspite" ], "source_name": "ETDA:Leafminer", "tools": [ "Imecab", "LaZagne", "Mimikatz", "PhpSpy", "Sorgu" ], "source_id": "ETDA", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434486, "ts_updated_at": 1775792187, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6fe9b74cc2aa8aa7d37283456094cc1a4895e2ab.pdf", "text": "https://archive.orkl.eu/6fe9b74cc2aa8aa7d37283456094cc1a4895e2ab.txt", "img": "https://archive.orkl.eu/6fe9b74cc2aa8aa7d37283456094cc1a4895e2ab.jpg" } }