The sub-techniques beta is now live! Read the release blog post for more info.


Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [1] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). [2]

ID: G0003
Associated Groups: Threat Group 2889, TG-2889
Version: 1.0
Created: 31 May 2017
Last Modified: 22 March 2019

Associated Group Descriptions

Name Description
Threat Group 2889 [2]
TG-2889 [2]

Techniques Used

Domain ID Name Use
PRE-ATT&CK T1341 Build social network persona

Cleaver created fake LinkedIn profiles.[2]

PRE-ATT&CK T1345 Create custom payloads

Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.[1]

PRE-ATT&CK T1342 Develop social network persona digital footprint

Cleaver fake personas included profile photos, details, and network connections.[2]

PRE-ATT&CK T1313 Obfuscation or cryptography

Cleaver has used zhCat to encrypt traffic or use inline obfuscation to make detection more difficult. zhCat makes message traffic look benign.[1]

Enterprise T1003 Credential Dumping

Cleaver has been known to dump credentials.[1]


ID Name References Techniques
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0056 Net Crawler [1] Brute Force, Credential Dumping, Service Execution, Windows Admin Shares
S0029 PsExec [1] Service Execution, Windows Admin Shares
S0004 TinyZBot [1] Clipboard Data, Command-Line Interface, Disabling Security Tools, Input Capture, New Service, Registry Run Keys / Startup Folder, Screen Capture, Shortcut Modification