{ "id": "0e8e9388-9c06-4bac-9f4b-524811b681c8", "created_at": "2026-04-06T00:09:04.781065Z", "updated_at": "2026-04-10T03:36:37.186Z", "deleted_at": null, "sha1_hash": "128d12f556a0afa5d8a7c7dd61b1616a9e379c8a", "title": "Microsoft links Clop ransomware gang to MOVEit data-theft attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2671952, "plain_text": "Microsoft links Clop ransomware gang to MOVEit data-theft attacks\r\nBy Lawrence Abrams\r\nPublished: 2023-06-05 · Archived: 2026-04-05 19:42:36 UTC\r\nMicrosoft has linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer\r\nplatform to steal data from organizations.\r\n\"Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest,\r\nknown for ransomware operations \u0026 running the Clop extortion site,\" the Microsoft Threat Intelligence team tweeted\r\nSunday night.\r\n\"The threat actor has used similar vulnerabilities in the past to steal data \u0026 extort victims.\"\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-clop-ransomware-gang-to-moveit-data-theft-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-clop-ransomware-gang-to-moveit-data-theft-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nLast Thursday, BleepingComputer was the first to report that threat actors were exploiting a zero-day vulnerability in\r\nMOVEit Transfer servers to steal data from organizations.\r\nMOVEit Transfer is a managed file transfer (MFT) solution that allows the enterprise to securely transfer files between\r\nbusiness partners and customers using SFTP, SCP, and HTTP-based uploads.\r\nThe attacks are believed to have started on May 27th, over the long US Memorial Day holiday, with BleepingComputer\r\naware of numerous organizations having data stolen during the attacks.\r\nThe threat actors utilized the zero-day MOVEit vulnerability to drop specially crafted webshells on servers, allowing them\r\nto retrieve a list of files stored on the server, download files, and steal the credentials/secrets for configured Azure Blob\r\nStorage containers.\r\nWebshell installed during MOVEit attacks\r\nSource: BleepingComputer\r\nWhile it was unclear at the time who was behind the attacks, it was widely believed that the Clop ransomware operation was\r\nresponsible due to similarities with previous attacks conducted by the group.\r\nThe Clop ransomware operation is known to target managed file transfer software, previously responsible for data-theft\r\nattacks using a GoAnywhere MFT zero-day in January 2023 and the zero-day exploitation of Accellion FTA servers in 2020.\r\nMicrosoft says they are now linking the attacks to 'Lace Tempest,' using a new threat actor naming scheme introduced in\r\nApril. Lace Tempest is more commonly known as TA505, FIN11, or DEV-0950.\r\nAt this time, the Clop ransomware operation has not begun extorting victims, with incident responders telling\r\nBleepingComputer that victims have yet to receive extortion demands.\r\nHowever, the Clop gang is known to wait a few weeks after data theft before emailing company executives with their\r\ndemands.\r\n\"We deliberately did not disclose your organization wanted to negotiate with you and your leadership first,\" reads a Clop\r\nransom note sent during the GoAnywhere extortion attacks.\r\n\"If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50\r\nthousand unique visitors per day. You can read about us on Google by searching for CLOP hacker group.\"\r\nHistorically, once Clop begins extorting victims, they will add a stream of new victims to their data leak site with threats that\r\nstolen files will soon be published to apply further pressure in their extortion schemes.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-clop-ransomware-gang-to-moveit-data-theft-attacks/\r\nPage 3 of 4\n\nFor the GoAnywhere attacks, it took a little over a month before we saw victims listed on the gang's extortion sites.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-links-clop-ransomware-gang-to-moveit-data-theft-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-clop-ransomware-gang-to-moveit-data-theft-attacks/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/microsoft-links-clop-ransomware-gang-to-moveit-data-theft-attacks/" ], "report_names": [ "microsoft-links-clop-ransomware-gang-to-moveit-data-theft-attacks" ], "threat_actors": [ { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-10T02:00:03.440831Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434144, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/128d12f556a0afa5d8a7c7dd61b1616a9e379c8a.pdf", "text": "https://archive.orkl.eu/128d12f556a0afa5d8a7c7dd61b1616a9e379c8a.txt", "img": "https://archive.orkl.eu/128d12f556a0afa5d8a7c7dd61b1616a9e379c8a.jpg" } }