Leafminer
RASPITE, also referred to as Leafminer, is a threat actor first identified by Dragos in 2018. According to the provided content, its activity has focused on initial access operations against the electric utility sector, particularly organizations with ICS environments, though Dragos noted it had not demonstrated an ICS-specific capability to date. The content also states that RASPITE targeted electric utilities in the United States and government entities in the Middle East, and that no new RASPITE activity had been identified since mid-2018. The aliases provided are RASPITE and Leafminer. Reported tradecraft includes use of watering holes for initial access, infection via JavaScript code, network service scanning to search for vulnerabilities, credential theft using tools such as LaZagne and Mimikatz, use of PsExec, mailbox searching with MailSniper, remote system information gathering with Microsoft Sysinternals tools, and persistence via a tool called Imecab to create a persistent remote access account on victim machines. The content also notes command obfuscation associated with Leafminer.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Utilities
Where they target
Geographies tied to known operations.
- 🇺🇸 United States
- 🇸🇦 Saudi Arabia
- 🇯🇵 Japan
Tradecraft
33 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
4 malware families attributed to this actor across reporting.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.
Referenced as a threat actor associated with the command obfuscation technique using environment variable substrings in Windows command lines.
Referenced in the detection annotations as a threat actor associated with reconnaissance/exploitation behavior relevant to Netspy-style network scanning.
Listed as a threat actor associated with the MMC/GrimResource detection analytic.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.