Threat Actor Profile
High APT
Description

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)

Confidence Score
90%
Known Aliases
Cleaver Threat Group 2889 TG-2889
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (5)
T1003.001 - LSASS Memory
Credential Access
T1557.002 - ARP Cache Poisoning
Credential Access
T1585.001 - Social Media Accounts
Resource Development
T1587.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Cleaver', 'Threat Group 2889', 'TG-2889'],
 'created': '2017-05-31T21:31:46.390Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Cleaver](https://attack.mitre.org/groups/G0003) is a threat '
                'group that has been attributed to Iranian actors and is '
                'responsible for activity tracked as Operation Cleaver. '
                '(Citation: Cylance Cleaver) Strong circumstantial evidence '
                'suggests Cleaver is linked to Threat Group 2889 (TG-2889). '
                '(Citation: Dell Threat Group 2889)',
 'external_references': [{'external_id': 'G0003',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0003'},
                         {'description': '(Citation: Cylance Cleaver)',
                          'source_name': 'Cleaver'},
                         {'description': '(Citation: Dell Threat Group 2889)',
                          'source_name': 'Threat Group 2889'},
                         {'description': '(Citation: Dell Threat Group 2889)',
                          'source_name': 'TG-2889'},
                         {'description': 'Cylance. (2014, December). Operation '
                                         'Cleaver. Retrieved September 14, '
                                         '2017.',
                          'source_name': 'Cylance Cleaver',
                          'url': 'https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf'},
                         {'description': 'Dell SecureWorks. (2015, October 7). '
                                         'Suspected Iran-Based Hacker Group '
                                         'Creates Network of Fake LinkedIn '
                                         'Profiles. Retrieved January 14, '
                                         '2016.',
                          'source_name': 'Dell Threat Group 2889',
                          'url': 'http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/'}],
 'id': 'intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063',
 'modified': '2025-04-16T20:37:38.869Z',
 'name': 'Cleaver',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.3'}
Quick Actions
Related TTPs (5)
LSASS Memory
Credential Access
ARP Cache Poisoning
Credential Access
Social Media Accounts
Resource Development
Malware
Resource Development
Tool
Resource Development
Back to Threat Actors
Dashboard Home