{ "id": "dd47d83a-c403-4bb5-802c-3289edff1921", "created_at": "2026-04-06T00:19:24.889899Z", "updated_at": "2026-04-10T13:12:26.398074Z", "deleted_at": null, "sha1_hash": "6e0d79896127ed20b922e4b5eb31f3a61e347d0c", "title": "Cutting Kitten, TG-2889 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75417, "plain_text": "Cutting Kitten, TG-2889 - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 22:34:39 UTC\r\nHome \u003e List all groups \u003e Cutting Kitten, TG-2889\r\n APT group: Cutting Kitten, TG-2889\r\nNames\r\nCutting Kitten (CrowdStrike)\r\nTG-2889 (SecureWorks)\r\nG0003 (MITRE)\r\nCountry Iran\r\nSponsor State-sponsored, security company ITSecTeam\r\nMotivation Information theft and espionage\r\nFirst seen 2012\r\nDescription\r\nCleaver is a threat group that has been attributed to Iranian actors and is responsible\r\nfor activity tracked as Operation Cleaver. Strong circumstantial evidence suggests\r\nCleaver is linked to Threat Group 2889 (TG-2889).\r\nThis group evolved into Magic Hound, APT 35, Cobalt Illusion, Charming Kitten.\r\nObserved\r\nSectors: Aerospace, Aviation, Chemical, Defense, Education, Energy, Financial,\r\nGovernment, Healthcare, Oil and gas, Technology, Telecommunications,\r\nTransportation, Utilities and (banks: Bank of America, US Bancorp, Fifth Third\r\nBank, Citigroup, PNC, BB\u0026T, Wells Fargo, Capital One and HSBC).\r\nCountries: Canada, China, France, Germany, India, Israel, Kuwait, Mexico,\r\nNetherlands, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, UAE, UK, USA.\r\nTools used\r\nCsExt, DistTrack, Jasus, KAgent, Leash, Logger Module, MPKBot, Net Crawler,\r\nPupyRAT, PVZ-In, PVZ-Out, SynFlooder, SysKit, TinyZBot, WndTest, zhCat,\r\nzhMimikatz.\r\nOperations performed 2012 Operation “Cleaver”\r\nOperation Cleaver has, over the past several years, conducted a\r\nsignificant global surveillance and infiltration campaign. To date it has\r\nsuccessfully evaded detection by existing security technologies. The\r\ngroup is believed to work from Tehran, Iran, although auxiliary team\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4622bc44-8c01-4807-8d12-b22352472c29\r\nPage 1 of 2\n\nmembers were identified in other locations including the Netherlands,\nCanada, and the UK. The group successfully leveraged both publicly\navailable, and customized tools to attack and compromise targets\naround the globe. The targets include military, oil and gas, energy and\nutilities, transportation, airlines, airports, hospitals,\ntelecommunications, technology, education, aerospace, Defense\nIndustrial Base (DIB), chemical companies, and governments.\n2013\nAttack on the Bowman Avenue Dam\nIranian hackers infiltrated the control system of a small dam less than\n20 miles from New York City two years ago, sparking concerns that\nreached to the White House, according to former and current U.S.\nofficials and experts familiar with the previously undisclosed incident.\n2015\nNetwork of Fake LinkedIn Profiles\nWhile tracking a suspected Iran-based threat group known as Threat\nGroup-2889 (TG-2889), Dell SecureWorks Counter Threat Unit (CTU)\nresearchers uncovered a network of fake LinkedIn profiles. These\nconvincing profiles form a self-referenced network of seemingly\nestablished LinkedIn users. CTU researchers assess with high\nconfidence the purpose of this network is to target potential victims\nthrough social engineering.\nCounter operations Mar 2016\nU.S. indicts Iranians for hacking dozens of banks, New York dam\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4622bc44-8c01-4807-8d12-b22352472c29\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4622bc44-8c01-4807-8d12-b22352472c29\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4622bc44-8c01-4807-8d12-b22352472c29" ], "report_names": [ "showcard.cgi?u=4622bc44-8c01-4807-8d12-b22352472c29" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49f1ada0-181f-4e89-a449-e6bc13c8c6b1", "created_at": "2022-10-25T15:50:23.561511Z", "updated_at": "2026-04-10T02:00:05.382592Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "Threat Group 2889", "TG-2889" ], "source_name": "MITRE:Cleaver", "tools": [ "Net Crawler", "PsExec", "TinyZBot", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "9663cdbf-646e-4579-881a-a8ebc3aabf63", "created_at": "2023-01-06T13:46:38.360862Z", "updated_at": "2026-04-10T02:00:02.942852Z", "deleted_at": null, "main_name": "Cutting Kitten", "aliases": [ "ITsecTeam" ], "source_name": "MISPGALAXY:Cutting Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "217c588a-5896-4335-b9ec-a516ae2f9a7e", "created_at": "2022-10-25T16:07:23.513775Z", "updated_at": "2026-04-10T02:00:04.635263Z", "deleted_at": null, "main_name": "Cutting Kitten", "aliases": [ "Cutting Kitten", "G0003", "Operation Cleaver", "TG-2889" ], "source_name": "ETDA:Cutting Kitten", "tools": [ "CsExt", "DistTrack", "IvizTech", "Jasus", "KAgent", "Logger Module", "MANGOPUNCH", "MPK", "MPKBot", "Net Crawler", "NetC", "PVZ-In", "PVZ-Out", "Pupy", "PupyRAT", "PvzOut", "Shamoon", "SynFlooder", "SysKit", "TinyZBot", "WndTest", "pupy", "zhCat", "zhMimikatz" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434764, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6e0d79896127ed20b922e4b5eb31f3a61e347d0c.pdf", "text": "https://archive.orkl.eu/6e0d79896127ed20b922e4b5eb31f3a61e347d0c.txt", "img": "https://archive.orkl.eu/6e0d79896127ed20b922e4b5eb31f3a61e347d0c.jpg" } }