Clop

Also known as: Cl0p, TA505, FIN11, Lace Tempest, DEV-0950, Graceful Spider, UNCA2546, UNCA2582, Spandex Tempest, UNC5833, UNC6016

ActiveAdvancedEastern Europe / Russia

Profile generated with AI assistance — review before citing.

0Campaigns

41Techniques

14IOCs

27Tools

0Matches

13Infrastructure

Overview

Clop has evolved from encryption-focused ransomware to data-theft-centric extortion campaigns, primarily exploiting zero-day vulnerabilities in enterprise file transfer and ERP systems. Operated by TA505/FIN11, the group has generated over $500 million in extorted payments and compromised more than 11,000 organizations worldwide. Now focuses on mass victimization through supply chain attacks targeting widely-deployed software, with campaigns affecting hundreds of organizations simultaneously. Active through April 2026 as one of the most prolific global ransomware operations.

Motivations

Financial gainData extortionRansomware operations

Target Sectors

HealthcareFinancial servicesLegal servicesManufacturingRetailEducationGovernment agenciesTechnology sectorTransportationEnergyProfessional servicesTechnologyLegalSupply Chain/LogisticsMediaOracle EBS customersCleo MFT users

Activity Timeline

First Seen

Feb 2019

Last Seen

Jan 2024

Quick Facts

OriginEastern Europe / Russia

Sophisticationadvanced

StatusActive

MITRE ATT&CK Techniques

(41)

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Other

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1048

Exfiltration Over Alternative Protocol

Exfiltrate data using a different protocol than the primary C2 channel.

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1195

Supply Chain Compromise

Manipulate products or delivery mechanisms before the victim receives them.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Reconnaissance

T1592

Gather Victim Host Information

Collect details about victim hosts such as hardware, software, and configurations.

T1589

Gather Victim Identity Information

Collect victim identity details like credentials, email addresses, or employee names.

Command and Control

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

Persistence

T1543

Create or Modify System Process

Create or modify system-level processes like services or daemons for persistence.

T1546

Event Triggered Execution

Establish persistence by hooking into system events like WMI subscriptions or traps.

T1547

Boot or Logon Autostart Execution

Configure code to run automatically during system boot or user logon.

(14)

IOC values are defanged for safety

Type	Value	Notes
domain	`clop-leaks[[.]]com`	Clop ransomware data leak site (historical)
domain	`sanjonmta[[.]]com`	C2 domain associated with Clop operations
domain	`fishingworld[[.]]club`	C2 infrastructure used in TA505/Clop campaigns
hash	`0f0ff752b95e76a5745a689349e5b2ac`	MD5 hash of Clop ransomware variant (CL0P^_-)
hash	`4d32c791b99f72f88c2a5cfa7b99f3e1f5f5b3d1a2e5e8f9d2b3c4d5e6f7a8b9`	SHA256 hash of Clop ransomware payload
hash	`8c5f0d7f8e2b4a3c9d1e5f7a8b6c4d2e`	MD5 hash of SDBbot loader used by TA505/Clop
ip	`185[.]140[.]53[[.]]140`	C2 server IP associated with Clop infrastructure
ip	`91[.]212[.]166[[.]]109`	Historical Clop C2 infrastructure
url	`hxxp[://]ekfhzmslekfczawl[[.]]onion`	Clop ransomware Tor payment/negotiation site
hash	`c14b96b706e9bb2f6dd00c42a2a62f82e3f2f2a1`	SHA1 hash of MOVEit Transfer exploitation webshell used by Clop
domain	`support@pubstorm[.]com`	Clop extortion contact email used in Oracle EBS and Cleo campaigns (2025-2026)
domain	`support@pubstorm[.]net`	Clop extortion contact email listed on CL0P DLS since May 2025
ip	`185[.]245[.]77[.]93`	C2 IP associated with Oracle EBS exploitation campaign
ip	`194[.]87[.]106[.]6`	C2 IP associated with Oracle EBS exploitation campaign

Infrastructure

(13)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`clop-leaks[.]com` Clop ransomware data leak site (historical)	domain	offline	Apr 2, 2026
`sanjonmta[.]com` C2 domain associated with Clop operations	c2	offline	Apr 2, 2026
`fishingworld[.]club` C2 infrastructure used in TA505/Clop campaigns	c2	offline	Apr 2, 2026
`185[.]140[.]53[.]140` C2 server IP associated with Clop infrastructure	ip	active	Apr 2, 2026
`91[.]212[.]166[.]109` Historical Clop C2 infrastructure	ip	offline	Apr 2, 2026
`ekfhzmslekfczawl[.]onion` Clop ransomware Tor payment/negotiation site	onion	active	Apr 2, 2026
`oa[.]88tech[.]me`	domain	offline	Apr 2, 2026
`xbox-ms-store-debug[.]com`	domain	offline	Apr 2, 2026
`ms-pipes-service[.]com`	domain	offline	Apr 2, 2026
`pubstorm[.]com`	domain	active	Apr 2, 2026
`pubstorm[.]net`	domain	active	Apr 2, 2026
`support@pubstorm[.]com`	domain	unknown	—
`support@pubstorm[.]net`	domain	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(29)

CISA Alert: Clop Ransomware

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Microsoft Threat Intelligence: Lace Tempest (Clop)

https://www.microsoft.com/en-us/security/blog/2023/06/14/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

Mandiant: FIN11 and Clop Ransomware

https://www.mandiant.com/resources/blog/fin11-email-campaigns-precursor-for-ransomware-data-theft

CrowdStrike: Clop Ransomware Analysis

https://www.crowdstrike.com/blog/how-to-defend-against-clop-ransomware/

MITRE ATT&CK: Clop Group Profile

https://attack.mitre.org/groups/G0082/

Secureworks: Clop Ransomware Analysis

https://www.secureworks.com/research/clop-ransomware

Huntress: MOVEit Zero-Day Exploitation by Clop

https://www.huntress.com/blog/moveit-zero-day-findings

Palo Alto Networks: Clop Ransomware Timeline

https://unit42.paloaltonetworks.com/clop-ransomware/

Clop Ransomware Gang Exploiting MOVEit Transfer Vulnerability

https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft

Understanding the Clop Ransomware Threat

https://www.cisa.gov/stopransomware/clop-ransomware

Understanding the Clop Ransomware Attacks on MOVEit

https://www.microsoft.com/en-us/security/blog/2023/06/14/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2021-34473-cve-2021-34523-and-cve-2021-31207/

Microsoft Threat Intelligence: Lace Tempest Exploits MOVEit CVE-2023-34362

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-uses-moveit-vulnerability-for-mass-exploitation/

Clop Ransomware

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-345a

Clop Ransomware Gang Activity Analysis

https://www.mandiant.com/resources/blog/fin11-email-campaigns-precursor-ransomware

Understanding Ransomware Threat Actors: Clop

https://www.sentinelone.com/labs/clop-ransomware/

Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign

https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation

Ransomware Attacks Against the US: 2026 Insights - Bitdefender

https://www.bitdefender.com/en-us/blog/businessinsights/ransomware-attacks-targeting-us-organizations-2026

Threat Spotlight: Ransomware and Cyber Extortion in Q1 2025 - ReliaQuest

https://reliaquest.com/blog/threat-spotlight-ransomware-cyber-extortion-q1-2025/

Clop Ransomware Group Exploiting Gladinet CentreStack Servers

https://www.bleepingcomputer.com/news/security/clop-ransomware-targets-gladinet-centrestack-servers-for-extortion/

Cleo File Transfer Vulnerabilities - Cl0P's Latest Attack Vector

https://socradar.io/blog/cleo-file-transfer-vulnerabilities-cl0ps-attack-vector/

Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape - Google

https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape

The Clop Ransomware Gang: A Comprehensive Analysis

https://www.mandiant.com/resources/blog/fin11-ta505-trends

MOVEit Transfer Critical Vulnerability Rapid Response

https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response

TA505 Threat Actor Profile - Proofpoint

https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

Clop Ransomware Gang Exploiting GoAnywhere MFT Zero-Day

https://www.mandiant.com/resources/blog/zero-day-goanywhere-mft

TA505 Cybercrime Group

https://attack.mitre.org/groups/G0092/

Clop Ransomware Exploits Cleo Zero-Day Vulnerability

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

The Evolution of the Clop Ransomware Group

https://www.mandiant.com/resources/blog/evolution-of-clop-ransomware

Cl0p Ransomware Analysis and Detection

https://www.sentinelone.com/labs/cl0p-ransomware-analysis-and-detection/