MalwareUsed by 1 actor

Total SMB BruteForcer

Total SMB BruteForcer is a credential attack tool used for internal password spraying over SMB. The provided content specifically associates it with Leafminer (G0077), which used the tool to perform internal password spraying in victim environments. Based on the available information, its documented capability is SMB-focused password spraying to obtain valid credentials for lateral movement or broader access within internal networks. No additional infection vector, malware persistence behavior, targeted industries, or specific indicators of compromise are provided in the source content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Leafminer

Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.

via mitre attackattack.mitre.org

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Credential Access

1 technique

T1110.003Password SprayingEvidence1

TacticCredential Access

“Agrius engaged in password spraying via SMB in victim environments… APT28 has used a brute-force/password-spray tooling… has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks… performed password-spray attacks against public facing services… APT29 has conducted brute force password spray attacks… APT33 has used password spraying… Chimera has used multiple password spraying attacks… Ember Bear has conducted password spraying against Outlook Web Access (OWA)… HAFNIUM has gained initial access through password spray attacks… HEXANE has used password spraying… Leafminer used… Total SMB BruteForcer to perform internal password spraying… MailSniper can be used for password spraying against Exchange and Office 365… Silent Librarian… password spraying attacks…”

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

mitre attackNews

Jan 25, 2026

Brute Force: Password Spraying, Sub-technique T1110.003 - Enterprise | MITRE ATT&CK®

SMB-focused brute force/password spraying tool used to attempt internal credential validation against SMB services.

mitre attackNews

Mar 18, 2026

Brute Force: Password Spraying, Sub-technique T1110.003 - Enterprise | MITRE ATT&CK®

Tool used to conduct SMB password spraying/brute force attempts to obtain valid credentials inside victim networks.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.