{ "id": "8ded3e46-c481-4291-950d-c13f6b604464", "created_at": "2026-04-06T00:08:31.461539Z", "updated_at": "2026-04-10T03:36:24.645227Z", "deleted_at": null, "sha1_hash": "d049e3045a6b27980f889eb2466013a8c83e9ff9", "title": "Leafminer, Raspite - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63094, "plain_text": "Leafminer, Raspite - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:38:47 UTC\r\nHome \u003e List all groups \u003e Leafminer, Raspite\r\n APT group: Leafminer, Raspite\r\nNames\r\nLeafminer (Symantec)\r\nRaspite (Dragos)\r\nFlash Kitten (CrowdStrike)\r\nG0077 (MITRE)\r\nCountry Iran\r\nMotivation Information theft and espionage\r\nFirst seen 2017\r\nDescription\r\n(Symantec) Symantec has uncovered the operations of a threat actor named Leafminer\r\nthat is targeting a broad list of government organizations and business verticals in\r\nvarious regions in the Middle East since at least early 2017. The group tends to adapt\r\npublicly available techniques and tools for their attacks and experiments with published\r\nproof-of-concept exploits. Leafminer attempts to infiltrate target networks through\r\nvarious means of intrusion: watering hole websites, vulnerability scans of network\r\nservices on the internet, and brute-force/dictionary login attempts. The actor’s post-compromise toolkit suggests that the group is looking for email data, files, and database\r\nservers on compromised target systems.\r\n(Dragos) Analysis of Raspite tactics, techniques, and procedures (TTPs) indicate the\r\ngroup has been active in some form since early- to mid-2017. Raspite targeting includes\r\nentities in the US, Middle East, Europe, and East Asia. Operations against electric utility\r\norganizations appear limited to the US at this time.\r\nRaspite leverages strategic website compromise to gain initial access to target networks.\r\nRaspite uses the same methodology as Berserk Bear, Dragonfly 2.0 and Allanite in\r\nembedding a link to a resource to prompt an SMB connection, from which it harvests\r\nWindows credentials. The group then deploys install scripts for a malicious service to\r\nbeacon back to Raspite –controlled infrastructure, allowing the adversary to remotely\r\naccess the victim machine.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bde56229-34b6-4a33-b6c0-358d41416ee3\r\nPage 1 of 2\n\nObserved\nSectors: Energy, Financial, Government, Transportation.\nCountries: Israel, Kuwait, Lebanon, USA and Europe and East Asia.\nTools used Imecab, LaZagne, Mimikatz, PhpSpy, Sorgu.\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bde56229-34b6-4a33-b6c0-358d41416ee3\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bde56229-34b6-4a33-b6c0-358d41416ee3\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bde56229-34b6-4a33-b6c0-358d41416ee3" ], "report_names": [ "showcard.cgi?u=bde56229-34b6-4a33-b6c0-358d41416ee3" ], "threat_actors": [ { "id": "81d49904-579d-45b3-ace2-1fdf0a713bc4", "created_at": "2022-10-25T15:50:23.331457Z", "updated_at": "2026-04-10T02:00:05.291098Z", "deleted_at": null, "main_name": "Leafminer", "aliases": [ "Leafminer", "Raspite" ], "source_name": "MITRE:Leafminer", "tools": [ "LaZagne", "Mimikatz", "MailSniper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "552eeef7-4a19-44de-9147-db8893c115ef", "created_at": "2023-01-06T13:46:38.598788Z", "updated_at": "2026-04-10T02:00:03.034846Z", "deleted_at": null, "main_name": "RASPITE", "aliases": [ "LeafMiner", "Raspite" ], "source_name": "MISPGALAXY:RASPITE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2b3e659a-10ca-4920-9e86-f6f68f5bb151", "created_at": "2023-01-06T13:46:38.910516Z", "updated_at": "2026-04-10T02:00:03.142598Z", "deleted_at": null, "main_name": "Flash Kitten", "aliases": [], "source_name": "MISPGALAXY:Flash Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "a792743d-78a4-40c9-9d9a-a12c52880297", "created_at": "2023-01-06T13:46:38.75457Z", "updated_at": "2026-04-10T02:00:03.089271Z", "deleted_at": null, "main_name": "ALLANITE", "aliases": [ "Palmetto Fusion", "Allanite" ], "source_name": "MISPGALAXY:ALLANITE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "0a0132a3-526d-4698-be49-5e75530c1417", "created_at": "2022-10-25T15:50:23.856139Z", "updated_at": "2026-04-10T02:00:05.42054Z", "deleted_at": null, "main_name": "ALLANITE", "aliases": [ "ALLANITE", "Palmetto Fusion" ], "source_name": "MITRE:ALLANITE", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "1c4281e9-0a4c-4f20-94a2-25ed3661cc98", "created_at": "2022-10-25T16:07:23.301826Z", "updated_at": "2026-04-10T02:00:04.529332Z", "deleted_at": null, "main_name": "Allanite", "aliases": [ "G1000", "Palmetto Fusion" ], "source_name": "ETDA:Allanite", "tools": [ "PsExec", "SecreetsDump", "THC Hydra" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32c8c1a1-ae5c-4a05-a95d-2e970a46cd1e", "created_at": "2022-10-25T16:07:23.777999Z", "updated_at": "2026-04-10T02:00:04.747552Z", "deleted_at": null, "main_name": "Leafminer", "aliases": [ "Flash Kitten", "G0077", "Leafminer", "Raspite" ], "source_name": "ETDA:Leafminer", "tools": [ "Imecab", "LaZagne", "Mimikatz", "PhpSpy", "Sorgu" ], "source_id": "ETDA", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434111, "ts_updated_at": 1775792184, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d049e3045a6b27980f889eb2466013a8c83e9ff9.pdf", "text": "https://archive.orkl.eu/d049e3045a6b27980f889eb2466013a8c83e9ff9.txt", "img": "https://archive.orkl.eu/d049e3045a6b27980f889eb2466013a8c83e9ff9.jpg" } }