Cl0p

cl0p · primary source: Other · first observed 2019

?? · UnknownRansomwareModerate confidencelast cited Sep 28, 2025 · 8mo ago

Russian-speaking double-extortion crew historically aligned with TA505/FIN11. Specialized in mass exploitation of managed-file-transfer software zero-days: Accellion FTA (2020), GoAnywhere MFT (early 2023), and the MOVEit Transfer CVE-2023-34362 campaign in mid-2023 that compromised an estimated 2,700+ organizations and exposed personal data on tens of millions of individuals.

Aliases

CLOPOtherTA505MandiantFIN11Mandiant

Motivations

financial gain

Target sectors

financialhealthcareeducationgovernmentmanufacturing

Target countries

USGBDECABENLCH

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

Cl0p
Unknown
financial gain

Capability

Infrastructure

—

Victim

financial
healthcare
education
US
GB
+1 more

MITRE ATT&CK techniques

T1190 T1486 T1567.002 T1505.003

Tools & malware

1 entry

Cl0pRansomware

Timeline

1 event

CompromiseCritical2025-09-29·Google Cloud / Mandiant
Cl0p mass-exfiltrates Oracle E-Business Suite via CVE-2025-61882 zero-day
Cl0p exploited CVE-2025-61882 — a previously-unknown Oracle EBS vulnerability — against internet-facing Oracle E-Business Suite deployments from late July through early September 2025, then on 29 September 2025 blasted out hundreds of extortion emails to executives at victim organisations, using compromised email accounts as the delivery channel. By late October 2025 the operators had named 29 victims on their leak site, including Harvard University, American Airlines subsidiary Envoy Air, The Washington Post, Schneider Electric, Emerson, Logitech, and Cox Enterprises. Operationally identical to Cl0p's prior mass-extortion campaigns against Accellion FTA (2020-2021), Fortra GoAnywhere (2023), MOVEit Transfer (2023), and Cleo Harmony / VLTrader / LexiCom (2024) — Cl0p's enterprise managed-file-transfer / ERP-platform cadence is now annual.
zero-dayerpmass-extortionoracle

Indicators of compromise

4 indicators

defangedcsv

Type	Value	First seen	Source
Email	unlock[at]rsv-box[.]com family · CL0P CL0P negotiation email address published in ransom notes during the MOVEit and GoAnywhere campaigns, listed in the email-address IOC table of AA23-158A.	Jun 6, 2023	CISA
SHA-256	c58c2c2ea608c83fad9326055a8271d47d8246dc9cb401e420c0971c67e19cbf family · LEMURLOOT SHA256 of a compiled DLL generated from a human2.aspx LEMURLOOT payload, referenced in the Mandiant YARA rule M_Webshell_LEMURLOOT_DLL_1 included in AA23-158A as a hunting sample for the CL0P MOVEit zero-day intrusion set.	May 31, 2023	CISA
Name	human2.aspx family · LEMURLOOT LEMURLOOT web-shell filename masquerading as MOVEit's legitimate human.aspx, dropped via CVE-2023-34362 starting May 27, 2023. Primary breach indicator per joint FBI/CISA advisory AA23-158A on the CL0P/TA505 MOVEit campaign.	May 26, 2023	CISA
SHA-256	0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 family · LEMURLOOT SHA256 of a LEMURLOOT web-shell ASPX sample listed in the MOVEit Campaign IOC table of AA23-158A; one of the ~40 hashes the FBI/CISA released June 7, 2023 covering TA505 web-shell deployments against MOVEit Transfer.	May 26, 2023	CISA

Related actors

shared ATT&CK techniques

RU · Russia8Base2 shared techniques
- T1486
- T1567.002
?? · UnknownAkira2 shared techniques
- T1486
- T1567.002
?? · UnknownALPHV/BlackCat2 shared techniques
- T1486
- T1567.002
KP · DPRKAndariel2 shared techniques
- T1190
- T1486
RU · RussiaDarkSide2 shared techniques
- T1486
- T1567.002
CN · ChinaHafnium2 shared techniques
- T1190
- T1505.003

References

#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (AA23-158A)
CISA · 2023-06-07

cite this page

Threat Intel Tracker. (2026-05-19). Cl0p — actor profile. Retrieved from https://threatintel.local/actors/cl0p

latest cited activity · 2025-09-29 · 4 cataloged indicators