Threat Actor Profile

Cl0p

Aliases
  • CLOP
  • CIop
  • Clop
  • Cl0p
Origin
Russia
Active Since
2019-01-01
Motivation
Financial gain, Extortion, Data theft
Cause
Cybercriminal
Recent Activity

Cl0p remains active in data-theft extortion. Recent Cl0p-branded activity has been tied to exploitation of Oracle E-Business Suite, including CVE-2025-61882, with mass extortion emails beginning in late September 2025.

Primary Targets
  • Healthcare organizations
  • Consumer goods organizations
  • Business services organizations
  • Manufacturing organizations
  • Food production organizations
  • Government organizations
  • Retail organizations
  • Technology organizations
  • Media and entertainment organizations
  • Education organizations
  • Transportation organizations
  • Energy organizations
  • Legal organizations
  • Engineering organizations
Target Locations
  • United States
  • Europe
  • United Kingdom
  • United Arab Emirates
  • Colombia
  • Canada
  • Switzerland
Target Sectors
  • Healthcare
  • Consumer Goods
  • Business Services
  • Manufacturing
  • Food Production
  • Government
  • Retail
  • Technology
  • Media & Entertainment
  • Education
  • Transportation
  • Energy
  • Legal
  • Engineering
Vulnerabilities

CVE-2021-27102

CVE-2021-27103

GoAnywhere zero-day vulnerability

MOVEit Transfer vulnerability

Oracle EBS vulnerabilities

Managed file transfer platform vulnerabilities

Techniques
  • Double extortion

  • Data theft

  • Extortion

  • Encryption optional

  • Zero-day exploitation

  • Third-party software exploitation

  • Managed file transfer platform exploitation

  • Oracle E-Business Suite exploitation

  • SQL injection exploitation

  • Web shell deployment

  • Automation

  • Initial-access broker usage

  • Data exfiltration

  • Data theft without encryption

  • Victim publication on data leak site

  • Mass extortion emails

  • Evasion

  • Lateral movement

Malware Tools
  • LEMURLOOT
  • Mimikatz
  • Cobalt Strike
  • Custom exfiltration tooling
Bitsight Contextualized Intelligence
  • Cl0p is a high-profile Russian ransomware group that first emerged in 2019.

  • Cl0p is known for launching double extortion attacks on organizations and industries across the globe.

  • Cl0p is associated with the APT group FIN11.

  • Cl0p is also known by aliases such as CLOP, CIop, Clop, and Cl0p.

  • Cl0p has conducted GoAnywhere mass exploitation for financial gain through data exfiltration and extortion.

  • Cl0p exploited a zero-day vulnerability in Fortra's GoAnywhere Managed File Transfer software, allowing attackers to execute arbitrary code without authentication.

  • Cl0p GoAnywhere targeting affected healthcare and wellness, engineering, finance, energy and resources, business services, retail, legal, education, and transportation.

  • Cl0p GoAnywhere targeting affected the United States, United Arab Emirates, Colombia, Canada, and Switzerland.

  • Fortra informed users of the GoAnywhere zero-day vulnerability on 2023-01-01.

  • The first reported Cl0p GoAnywhere attack occurred on 2023-01-30.

  • An emergency security patch for GoAnywhere was released on 2023-02-06.

  • Cl0p claimed to have breached 130 organizations on 2023-02-10.

  • The Cl0p GoAnywhere campaign breached networks of over 130 organizations, including Procter & Gamble, the City of Toronto, and Hitachi Energy.

  • Cl0p conducted the MOVEit attack for financial gain through large-scale data theft and extortion.

  • Cl0p exploited CVE-2023-34362 in MOVEit Transfer software and deployed a web shell named LEMURLOOT to execute arbitrary commands.

  • Cl0p MOVEit targeting affected media and entertainment, business services, education, transportation, and energy and resources.

  • Cl0p MOVEit targeting affected the United States and United Kingdom.

  • The Cl0p MOVEit attack was first seen on 2023-05-27.

  • The MOVEit patch was released on 2023-05-31.

  • A CISA advisory for MOVEit was issued on 2023-06-07.

  • The Cl0p MOVEit attack compromised over 2,770 organizations worldwide and affected more than 95 million individuals.

  • Cl0p has recently exploited CVE-2021-35211, CVE-2023-47246, CVE-2021-27102, and CVE-2021-27103.

  • Recent Cl0p victims include Fruit of the Loom, Southern Illinois University, Incentive Concepts, INJURYLAWYERS.COM, and Elkay.

  • Cl0p exploits zero-days and vulnerable third-party software such as MOVEit, GoAnywhere, and Oracle EBS.

  • Cl0p utilizes initial-access brokers and automation.

  • Cl0p employs sophisticated evasion and lateral-movement techniques to maximize impact and monetization.

Defensive Takeaways
  • Prioritize emergency patching for managed file transfer and enterprise software platforms

  • Inventory externally exposed third-party software

  • Monitor for web shell activity and unusual file transfer behavior

  • Review vendor and third-party software exposure

  • Segment systems that handle sensitive file transfers

  • Prepare for data-theft-only extortion scenarios where encryption may not occur

  • Monitor dark web and leak site activity for vendor-related exposure

How Bitsight Helps

Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.

Request threat intel demo