SYMBOLCOMMON_NAMEaka. SYNONYMS

Cleaver  (Back to overview)

aka: Operation Cleaver, Op Cleaver, Tarh Andishan, Alibaba, TG-2889, Cobalt Gypsy, G0003

A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. This threat actor targets entities in the government, energy, and technology sectors that are located in or do business with Saudi Arabia.


Associated Families
win.csext win.netc win.pvzout win.tinyzbot win.zhmimikatz win.jasus win.kagent win.synflooder win.wndtest

References
2021-05-06xorl %eax, %eaxAnastasios Pingios
@online{pingios:20210506:iran:7acb8a7, author = {Anastasios Pingios}, title = {{Iran Cyber Operations Groups}}, date = {2021-05-06}, organization = {xorl %eax, %eax}, url = {https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/}, language = {English}, urldate = {2021-05-08} } Iran Cyber Operations Groups
Cleaver
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:ce31320, author = {SecureWorks}, title = {{COBALT GYPSY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-gypsy}, language = {English}, urldate = {2020-05-23} } COBALT GYPSY
TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig
2019-04-08SANS Cyber Security SummitTaha Karim
@techreport{karim:20190408:trails:83a8378, author = {Taha Karim}, title = {{Trails of WindShift}}, date = {2019-04-08}, institution = {SANS Cyber Security Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf}, language = {English}, urldate = {2020-01-20} } Trails of WindShift
WindTail ZhMimikatz
2019-03-27MicrosoftTom Burt
@online{burt:20190327:new:9ba6b3b, author = {Tom Burt}, title = {{New steps to protect customers from hacking}}, date = {2019-03-27}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/}, language = {English}, urldate = {2020-01-13} } New steps to protect customers from hacking
APT35 Charming Kitten Cleaver
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:magic:f997203, author = {Cyber Operations Tracker}, title = {{Magic Hound}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/magic-hound}, language = {English}, urldate = {2019-12-20} } Magic Hound
APT35 Cleaver
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:operation:8df074c, author = {Cyber Operations Tracker}, title = {{Operation Cleaver}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/operation-cleaver}, language = {English}, urldate = {2019-12-20} } Operation Cleaver
Cleaver
2019MITREMITRE ATT&CK
@online{attck:2019:magic:f2f07ab, author = {MITRE ATT&CK}, title = {{Group description: Magic Hound}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0059/}, language = {English}, urldate = {2019-12-20} } Group description: Magic Hound
APT35 Cleaver
2019MITREMITRE ATT&CK
@online{attck:2019:cleaver:ac864e2, author = {MITRE ATT&CK}, title = {{Group description: Cleaver}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0003/}, language = {English}, urldate = {2019-12-20} } Group description: Cleaver
Cleaver
2017-07-27SecureworksCTU Research Team
@online{team:20170727:curious:e19150b, author = {CTU Research Team}, title = {{The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets}}, date = {2017-07-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/the-curious-case-of-mia-ash}, language = {English}, urldate = {2020-01-13} } The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets
Cleaver
2017-02-15Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20170215:magic:d143d8f, author = {Bryan Lee and Robert Falcone}, title = {{Magic Hound Campaign Attacks Saudi Targets}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/}, language = {English}, urldate = {2020-01-09} } Magic Hound Campaign Attacks Saudi Targets
APT35 Cleaver
2017-02-15SecureworksSecureWorks' Counter Threat Unit Research Team
@online{team:20170215:iranian:004ec5a, author = {SecureWorks' Counter Threat Unit Research Team}, title = {{Iranian PupyRAT Bites Middle Eastern Organizations}}, date = {2017-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations}, language = {English}, urldate = {2019-10-23} } Iranian PupyRAT Bites Middle Eastern Organizations
pupy Cleaver
2016-04-06CylanceCylance
@techreport{cylance:20160406:operation:a141373, author = {Cylance}, title = {{Operation Cleaver}}, date = {2016-04-06}, institution = {Cylance}, url = {https://scadahacker.com/library/Documents/Cyber_Events/Cylance%20-%20Operation%20Cleaver%20Report.pdf}, language = {English}, urldate = {2022-07-29} } Operation Cleaver
Cleaver
2016-04-06CylanceCylance
@techreport{cylance:20160406:operation:d4da7b5, author = {Cylance}, title = {{Operation Cleaver}}, date = {2016-04-06}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf}, language = {English}, urldate = {2020-01-10} } Operation Cleaver
CsExt Jasus KAgent NetC PvzOut SynFlooder TinyZbot WndTest ZhCat ZhMimikatz Cleaver
2015-11Check PointCheck Point
@techreport{point:201511:rocket:2e2b21c, author = {Check Point}, title = {{ROCKET KIT TEN: A CAMPAIGN WITH 9 LIVES}}, date = {2015-11}, institution = {Check Point}, url = {https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf}, language = {English}, urldate = {2020-01-07} } ROCKET KIT TEN: A CAMPAIGN WITH 9 LIVES
FireMalv MPKBot Woolger Cleaver Rocket Kitten
2015-10-07Dell SecureworksDell Secureworks CTU
@online{ctu:20151007:hacker:0c336b4, author = {Dell Secureworks CTU}, title = {{Hacker Group Creates Network of Fake LinkedIn Profiles}}, date = {2015-10-07}, organization = {Dell Secureworks}, url = {https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles}, language = {English}, urldate = {2022-07-29} } Hacker Group Creates Network of Fake LinkedIn Profiles
Cleaver
2015-10-07SecureworksCTU Research Team
@online{team:20151007:hacker:d7748e6, author = {CTU Research Team}, title = {{Hacker Group Creates Network of Fake LinkedIn Profiles}}, date = {2015-10-07}, organization = {Secureworks}, url = {http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/}, language = {English}, urldate = {2020-01-13} } Hacker Group Creates Network of Fake LinkedIn Profiles
Cleaver Cutting Kitten
2015-10-06NetenrichNetenrich
@online{netenrich:20151006:cutting:6815c15, author = {Netenrich}, title = {{CUTTING KITTEN}}, date = {2015-10-06}, organization = {Netenrich}, url = {https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten}, language = {English}, urldate = {2022-07-29} } CUTTING KITTEN
TinyZbot Cleaver
2015-09-01Trend MicroCedric Pernet, Eyal Sela
@techreport{pernet:20150901:spy:18a0fca, author = {Cedric Pernet and Eyal Sela}, title = {{The Spy Kittens Are Back:Rocket Kitten 2}}, date = {2015-09-01}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf}, language = {English}, urldate = {2020-01-10} } The Spy Kittens Are Back:Rocket Kitten 2
Cleaver
2015-03-19Trend MicroTrend Micro
@online{micro:20150319:rocket:3046dd1, author = {Trend Micro}, title = {{Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign}}, date = {2015-03-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing}, language = {English}, urldate = {2020-01-06} } Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign
Cleaver Rocket Kitten
2015-02-17SecurityAffairsPierluigi Paganini
@online{paganini:20150217:ali:b9323a0, author = {Pierluigi Paganini}, title = {{Ali Baba, the APT group from the Middle East}}, date = {2015-02-17}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html}, language = {English}, urldate = {2022-07-29} } Ali Baba, the APT group from the Middle East
Cleaver
2014Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2014:operation:3a9c86a, author = {Cyber Operations Tracker}, title = {{Operation Cleaver}}, date = {2014}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/cyber-operations/operation-cleaver}, language = {English}, urldate = {2022-07-29} } Operation Cleaver
Cleaver

Credits: MISP Project