Keywords used by attackers in Operation Cleaver

Hunt Hypothesis

The detection rule identifies potential adversary activity linked to Operation Cleaver by monitoring for specific keywords associated with the attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise and mitigate the impact of advanced persistent threats.

YARA Rule

rule OPCLEAVER_ZhoupinExploitCrew
{

    meta:
        description = "Keywords used by attackers in Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "zhoupin exploit crew" nocase
        $s2 = "zhopin exploit crew" nocase

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled job runs during off-hours and includes the keyword “cleaver” in its script or log entry.
  Filter/Exclusion: Exclude entries where the keyword appears in scheduled task names or descriptions that match known maintenance scripts (e.g., cleaver-maintenance.ps1).

• Scenario: Admin Task for Log Cleanup
  Description: An administrator uses the term “cleaver” in a script to clean up old log files, which triggers the rule.
  Filter/Exclusion: Exclude entries where the keyword is used in log cleanup scripts or commands (e.g., cleaver-log-cleaner.sh).

• Scenario: Database Backup Script
  Description: A database backup script includes the keyword “cleaver” in its naming convention or comments.
  Filter/Exclusion: Exclude entries where the keyword is part of a backup script name or comment that follows standard naming conventions (e.g., cleaver_backup_20250405.sql).

• Scenario: PowerShell Cmdlet for System Monitoring
  Description: A PowerShell script used for system monitoring includes the keyword “cleaver” in its script name or function.
  Filter/Exclusion: Exclude entries where the keyword is part of a monitoring script or function name (e.g., cleaver-monitor.ps1).

• Scenario: User-Defined Variable in Configuration File
  Description: A configuration file contains a user-defined variable named “cleaver” that is used for internal purposes.
  Filter/Exclusion: Exclude entries where the keyword appears in user-defined variables or configuration parameters that are not related to malicious activity.