Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.
Cl0p remains active in data-theft extortion. Recent Cl0p-branded activity has been tied to exploitation of Oracle E-Business Suite, including CVE-2025-61882, with mass extortion emails beginning in late September 2025.
CVE-2021-27102
CVE-2021-27103
GoAnywhere zero-day vulnerability
MOVEit Transfer vulnerability
Oracle EBS vulnerabilities
Managed file transfer platform vulnerabilities
Double extortion
Data theft
Extortion
Encryption optional
Zero-day exploitation
Third-party software exploitation
Managed file transfer platform exploitation
Oracle E-Business Suite exploitation
SQL injection exploitation
Web shell deployment
Automation
Initial-access broker usage
Data exfiltration
Data theft without encryption
Victim publication on data leak site
Mass extortion emails
Evasion
Lateral movement
Cl0p is a high-profile Russian ransomware group that first emerged in 2019.
Cl0p is known for launching double extortion attacks on organizations and industries across the globe.
Cl0p is associated with the APT group FIN11.
Cl0p is also known by aliases such as CLOP, CIop, Clop, and Cl0p.
Cl0p has conducted GoAnywhere mass exploitation for financial gain through data exfiltration and extortion.
Cl0p exploited a zero-day vulnerability in Fortra's GoAnywhere Managed File Transfer software, allowing attackers to execute arbitrary code without authentication.
Cl0p GoAnywhere targeting affected healthcare and wellness, engineering, finance, energy and resources, business services, retail, legal, education, and transportation.
Cl0p GoAnywhere targeting affected the United States, United Arab Emirates, Colombia, Canada, and Switzerland.
Fortra informed users of the GoAnywhere zero-day vulnerability on 2023-01-01.
The first reported Cl0p GoAnywhere attack occurred on 2023-01-30.
An emergency security patch for GoAnywhere was released on 2023-02-06.
Cl0p claimed to have breached 130 organizations on 2023-02-10.
The Cl0p GoAnywhere campaign breached networks of over 130 organizations, including Procter & Gamble, the City of Toronto, and Hitachi Energy.
Cl0p conducted the MOVEit attack for financial gain through large-scale data theft and extortion.
Cl0p exploited CVE-2023-34362 in MOVEit Transfer software and deployed a web shell named LEMURLOOT to execute arbitrary commands.
Cl0p MOVEit targeting affected media and entertainment, business services, education, transportation, and energy and resources.
Cl0p MOVEit targeting affected the United States and United Kingdom.
The Cl0p MOVEit attack was first seen on 2023-05-27.
The MOVEit patch was released on 2023-05-31.
A CISA advisory for MOVEit was issued on 2023-06-07.
The Cl0p MOVEit attack compromised over 2,770 organizations worldwide and affected more than 95 million individuals.
Cl0p has recently exploited CVE-2021-35211, CVE-2023-47246, CVE-2021-27102, and CVE-2021-27103.
Recent Cl0p victims include Fruit of the Loom, Southern Illinois University, Incentive Concepts, INJURYLAWYERS.COM, and Elkay.
Cl0p exploits zero-days and vulnerable third-party software such as MOVEit, GoAnywhere, and Oracle EBS.
Cl0p utilizes initial-access brokers and automation.
Cl0p employs sophisticated evasion and lateral-movement techniques to maximize impact and monetization.
Prioritize emergency patching for managed file transfer and enterprise software platforms
Inventory externally exposed third-party software
Monitor for web shell activity and unusual file transfer behavior
Review vendor and third-party software exposure
Segment systems that handle sensitive file transfers
Prepare for data-theft-only extortion scenarios where encryption may not occur
Monitor dark web and leak site activity for vendor-related exposure
Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.