Cyber Threat Actor: Green Leakers
| Actor Type | Location | Known Incidents |
Activist
|
Iran
|
0 incidents |
|---|
Profile
Green Leakers is a threat actor that uses the alias Green Leakers and is believed to operate from Iran, as indicated in the available location information. The group first came to public attention when it claimed responsibility for a second leak of Iranian cyber‑espionage data that appeared on Telegram channels and Dark Web portals after an earlier leak by the pseudonym Lab Dookhtegam. In this leak Green Leakers shared images of the source code and backend interfaces of a command and control server associated with the MuddyWater APT, also known as Oilrig or APT34, and included unredacted IP addresses of some of MuddyWater’s victims. The leaked material did not contain malware source code but consisted of screenshots that purported to show operational details of the MuddyWater infrastructure. Security researchers from ClearSky Security and Minerva Labs examined the leaked images and confirmed their authenticity, lending credibility to the group’s claims. Green Leakers operated two Telegram channels and two distinct Dark Web sites where they offered the data for sale, choosing not to distribute any tools or code free of charge unlike the earlier Lab Dookhtegam release.
The group’s tactics involve acquiring and visualizing internal components of a target’s infrastructure, then disseminating those visuals through encrypted messaging platforms and hidden web services to monetize the information. By focusing on screenshots of C&C code and server backends rather than releasing executable malware, Green Leakers demonstrated a TTP centered on data exposure and resale rather than direct tool proliferation. Their activity is linked to the MuddyWater APT, as the leaked content specifically referenced that group’s infrastructure, and they have continued to maintain their Telegram and Dark Web channels for ongoing data distribution. No public attribution connects Green Leakers to a specific state sponsor or criminal consortium; the group remains self‑identified and has not been formally tied to any known Iranian governmental or private entity. The most notable operation attributed to Green Leakers is the MuddyWater leak, which exposed details of that APT’s command and control infrastructure and victim IP addresses, representing a significant public disclosure of Iranian cyber‑espionage assets. The group continues to use its established channels to share and sell similar information, maintaining a presence in the threat landscape without further publicly reported campaigns.
