Home/ Threat Actors/ Cleaver

🌐Cleaver

🌐 Cleaver is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 5 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0003) ↗

14Use cases

0Articles

5Techniques

0IOCs

About this actor (MITRE)

[Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)

Known aliases

CleaverThreat Group 2889TG-2889

Top techniques

T1003.001 · LSASS Memory T1557.002 · ARP Cache Poisoning T1585.001 · Social Media Accounts

All other tracked techniques

T1587.001 · Malware T1588.002 · Tool

Detection use cases (14)

Cleaver / TG-2889 'Net Crawler' propagation: PsExec → LSASS credential dumper chain AI · profile SΣ Cleaver tooling artefacts: Jasus ARP poisoner, TinyZBot, and WCE on-disk drops AI · profile SΣ LSASS process access / dump (credential theft) MITRE match Access LSASS Memory for Dump Creation MITRE match Cisco Secure Firewall - Connection to File Sharing Domain MITRE match Cisco Secure Firewall - Possibly Compromised Host MITRE match Create Remote Thread into LSASS MITRE match Creation of lsass Dump with Taskmgr MITRE match Detect ARP Poisoning MITRE match Detect Credential Dumping through LSASS access MITRE match Detect IPv6 Network Infrastructure Threats MITRE match Detect Port Security Violation MITRE match Dump LSASS via comsvcs DLL MITRE match Windows NirSoft AdvancedRun MITRE match