Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [1] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). [2]

ID: G0003
Version: 1.0

Associated Group Descriptions

Threat Group 2889[2]

Techniques Used

PRE-ATT&CKT1341Build social network personaCleaver created fake LinkedIn profiles.[2]
PRE-ATT&CKT1345Create custom payloadsCleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.[1]
PRE-ATT&CKT1342Develop social network persona digital footprintCleaver fake personas included profile photos, details, and network connections.[2]
PRE-ATT&CKT1313Obfuscation or cryptographyCleaver has used zhCat to encrypt traffic or use inline obfuscation to make detection more difficult. zhCat makes message traffic look benign.[1]
EnterpriseT1003Credential DumpingCleaver has been known to dump credentials.[1]


S0002Mimikatz[1]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0056Net Crawler[1]Brute Force, Credential Dumping, Service Execution, Windows Admin Shares
S0029PsExec[1]Service Execution, Windows Admin Shares
S0004TinyZBot[1]Clipboard Data, Command-Line Interface, Disabling Security Tools, Input Capture, New Service, Registry Run Keys / Startup Folder, Screen Capture, Shortcut Modification