>samit_hota
Back to adversary profiles
G0003HighActive

Cleaver (G0003): Iranian APT Targeting Critical Infrastructure

Samit Hota·
Suspected Origin
Iran
Motivation
Espionage, Sabotage, Information Theft
Aliases
Threat Group 2889, TG-2889
Target Sectors
Military, Oil and Gas, Energy, Utilities, Transportation, Aviation, Healthcare, Telecommunications, Technology, Education, Aerospace, Defense, Financial, Government, Chemical
Associated Malware
Mimikatz, Windows Credential Editor, PsExec, Custom Tools (ARP poisoning, credential dumping, web backdoors, keyloggers)
#threat-actor#g0003

Overview

Cleaver, identified by MITRE ATT&CK as G0003 and also known by the aliases Threat Group 2889 (TG-2889) and Cutting Kitten, is a highly capable and persistent threat actor attributed to Iranian state-sponsored operations. This group has been active since at least 2012, primarily focusing on cyber espionage and potentially disruptive sabotage against critical infrastructure globally. Their operations are believed to originate from Tehran, Iran, though intelligence suggests auxiliary team members may be located in other countries such as the Netherlands, Canada, and the UK. The motivation behind Cleaver’s campaigns appears to be multi-faceted, encompassing information theft and espionage, with a clear capability and intent for sabotage and the potential physical destruction of control systems and networks. Some security researchers have speculated that their activities could be in retaliation for past cyber incidents affecting Iran, such as the Stuxnet worm.

Cleaver’s targeting is broad but strategically focused on high-value sectors critical to national economies and security. Their victimology spans military, oil and gas, energy and utilities, transportation, aviation, healthcare, telecommunications, technology, education, aerospace, the Defense Industrial Base (DIB), chemical companies, and governmental entities. Financial institutions, including major banks, have also been compromised. Geographically, Cleaver has demonstrated a global reach, impacting organizations in over 16 countries, including the United States, Israel, China, Saudi Arabia, India, Germany, France, England, Canada, Kuwait, Mexico, Pakistan, Qatar, South Korea, Turkey, and the United Arab Emirates.

Tactics & Techniques

Cleaver employs a range of sophisticated tactics, techniques, and procedures (TTPs) designed for initial access, persistence, privilege escalation, and lateral movement within compromised networks. A common initial access vector involves social engineering, particularly through the use of fake LinkedIn profiles. These convincing profiles, often forming a self-referenced network, are used to target individuals for cyber espionage, with researchers observing these tactics as recently as 2015. Spear-phishing campaigns are also a prominent method for gaining initial footholds. Once inside, Cleaver leverages techniques like SQL Injection and water-holing attacks to compromise networks.

For maintaining persistence and moving laterally, Cleaver has developed and utilized custom tools to facilitate ARP cache poisoning, allowing them to intercept network traffic. They are adept at credential dumping, using both custom capabilities and publicly available tools like Mimikatz and Windows Credential Editor to extract authentication material. The group has been observed deploying ASP.NET shells and various web backdoors, enabling remote access and control. Further internal reconnaissance and control are achieved through process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging. The group also utilizes open-source tools such as PsExec for remote execution and has compromised VPN credentials to gain complete remote access and persistence within victim environments. Their ability to create customized tools and payloads helps them evade traditional security detections.

Notable Campaigns

The most widely reported and defining campaign attributed to this group is “Operation Cleaver.” First detailed in a comprehensive report by Cylance in late 2014, this operation highlighted a significant global surveillance and infiltration effort that had been ongoing for at least two years prior. The Cylance report, which was later tacitly acknowledged by the FBI, described over 50 entities across 16 countries as targets, specifically focusing on critical infrastructure sectors. The name “Operation Cleaver” itself refers to the frequent use of the word “cleaver” within the group’s malware coding.

Beyond the initial Operation Cleaver exposé, activities linked to Threat Group 2889 have included the creation of extensive networks of fake LinkedIn profiles for social engineering, primarily targeting individuals and organizations in the Middle East. Another concerning incident, mentioned in the context of TG-2889, involved the infiltration of the control system of a small dam located less than 20 miles from New York City. While direct attribution for every Iranian APT activity can be complex, some security researchers suggest that Cleaver, or components of it, may have evolved into or share strong links with other prominent Iranian APT groups, such as Magic Hound (APT35) and Charming Kitten, indicating a continuous and adapting threat landscape originating from Iran.

Associated Malware & Tools

Cleaver’s operations rely on a combination of custom-developed malware and readily available open-source tools. Their bespoke toolkit is quite versatile, including capabilities for ARP poisoning, data encryption, credential dumping, creating ASP.NET shells and web backdoors, facilitating process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging. This demonstrates a sophisticated capability to tailor malicious software for specific targets and objectives.

In addition to their custom arsenal, Cleaver effectively integrates off-the-shelf tools to complement their operations. Prominent examples include Mimikatz and Windows Credential Editor, which they use extensively for OS credential dumping to extract sensitive authentication information. PsExec is another open-source utility leveraged for remote execution within compromised networks. While less frequently cited across multiple reports, other tools reportedly associated with the group include CsExt, DistTrack, Jasus, KAgent, Leash, Logger Module, MPKBot, Net Crawler, PupyRAT, PVZ-In, PVZ-Out, SynFlooder, SysKit, TinyZBot, WndTest, zhCat, and zhMimikatz. This blend of custom and public tools allows them flexibility and adaptability in their attacks.

Current Status

Cleaver remains a relevant entity in the threat landscape, with its MITRE ATT&CK profile (G0003) having been updated as recently as April 16, 2025, underscoring ongoing monitoring and interest from the cybersecurity community. Although the specific moniker “Cleaver” might not appear in every contemporary threat report, the underlying activity and TTPs associated with Iranian state-sponsored actors, often linked to this group or its evolutionary successors, continue to be observed.

For instance, Microsoft reported in January 2024 on Iranian APTs, like Mint Sandstorm (an activity group with known links to Iran’s military intelligence), employing sophisticated spear-phishing and social engineering tactics. These recent campaigns targeted high-profile individuals at universities and research organizations focused on Middle Eastern affairs in several countries, including the United States, mimicking Cleaver’s historic emphasis on social engineering and intelligence gathering against strategic targets. Furthermore, a February 2026 report by Palo Alto Networks Unit 42 discussed a threat group, without explicit identification as Cleaver, that compromised government and critical infrastructure across 37 countries in 2025, with reconnaissance against 155 countries. This indicates that Iranian state-sponsored activities targeting critical sectors and government entities are ongoing and represent a persistent threat. Given the observed evolution of Cleaver into or its strong association with groups like Magic Hound (APT35) and Charming Kitten, it is reasonable to conclude that while the specific name “Cleaver” might be less prevalent in current incident reporting, the capabilities and objectives it represents continue to be actively pursued by Iranian state-sponsored entities. These groups consistently adapt their methods, ensuring they remain an active and potent threat to global critical infrastructure and national security interests.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call