{
	"id": "67564615-e6d0-4e3b-8d82-1fdc69fecfbd",
	"created_at": "2026-04-06T03:36:06.663388Z",
	"updated_at": "2026-04-10T03:36:36.594914Z",
	"deleted_at": null,
	"sha1_hash": "2db02dc0c6d3cc636687e33c780b3a753fee3c54",
	"title": "Microsoft: Clop and LockBit ransomware behind PaperCut server hacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2186446,
	"plain_text": "Microsoft: Clop and LockBit ransomware behind PaperCut server hacks\r\nBy Lawrence Abrams\r\nPublished: 2023-04-26 · Archived: 2026-04-06 03:17:39 UTC\r\nMicrosoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the\r\nvulnerabilities to steal corporate data.\r\nLast month, two vulnerabilities were fixed in the PaperCut Application Server that allows remote attackers to perform\r\nunauthenticated remote code execution and information disclosure:\r\nCVE-2023–27350 / ZDI-CAN-18987 / PO-1216: Unauthenticated remote code execution flaw impacting all\r\nPaperCut MF or NG versions 8.0 or later on all OS platforms, for both application and site servers. (CVSS v3.1\r\nscore: 9.8 – critical)\r\nCVE-2023–27351 / ZDI-CAN-19226 / PO-1219: Unauthenticated information disclosure flaw impacting all\r\nPaperCut MF or NG versions 15.0 or later on all OS platforms for application servers. (CVSS v3.1 score: 8.2 – high)\r\nOn April 19th, PaperCut disclosed that these flaws were actively exploited in the wild, urging admins to upgrade their\r\nservers to the latest version.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-clop-and-lockbit-ransomware-behind-papercut-server-hacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-clop-and-lockbit-ransomware-behind-papercut-server-hacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nA PoC exploit for the RCE flaw was released a few days later, allowing further threat actors to breach the servers using these\r\nexploits.\r\nRansomware gangs behind attacks\r\nToday, Microsoft disclosed that the Clop and LockBit ransomware gangs are behind these PaperCut attacks and using them\r\nto steal corporate data from vulnerable servers.\r\nPaperCut is a printing management software compatible with all major printer brands and platforms. It is used by large\r\ncompanies, state organizations, and education institutes, with the company's website claiming it is used by hundreds of\r\nmillions of people from over 100 countries.\r\nIn a series of tweets posted Wednesday afternoon, Microsoft states that it has attributed the recent PaperCut attacks to the\r\nClop ransomware gang.\r\n\"Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities\r\nin print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps\r\nwith FIN11 and TA505),\" tweeted Microsoft's Threat Intelligence researchers.\r\nMicrosoft tracks this particular threat actor as 'Lace Tempest,' whose activity overlaps with FIN11 and TA505, both linked to\r\nthe Clop ransomware operation.\r\nMicrosoft says that the threat actor has been exploiting the PaperCut vulnerabilities since April 13th for initial access to the\r\ncorporate network.\r\nOnce they gained access to the server, they deployed the TrueBot malware, which has also been previously linked to the\r\nClop ransomware operation.\r\nUltimately, Microsoft says a Cobalt Strike beacon was deployed and used to spread laterally through the network while\r\nstealing data using the MegaSync file-sharing application. \r\nIn addition to Clop, Microsoft says some intrusions have led to LockBit ransomware attacks. However, it's unclear if these\r\nattacks began after the exploits were publicly released.\r\nMicrosoft recommends admins apply the available patches as soon as possible as other threat actors will likely begin\r\nexploiting the vulnerabilities.\r\nA prime target for Clop\r\nThe exploitation of PaperCut servers fits a general pattern we have seen with the Clop ransomware gang over the past three\r\nyears.\r\nWhile the Clop operation still encrypts files in attacks, they have told BleepingComputer that they prefer to steal data to\r\nextort companies into paying a ransom.\r\nThis shift in tactics was first seen in 2020 when Clop exploited an Accellion FTA zero-day vulnerability to steal data from\r\napproximately 100 companies.\r\nThe Clop gang recently utilized zero-day vulnerabilities in the GoAnywhere MFT secure file-sharing platform to steal data\r\nfrom 130 companies.\r\nPaperCut includes a 'Print Archiving' feature that saves all print jobs and documents sent through the server, making it a\r\ngood candidate for data exfiltration attacks from the operation.\r\nAll organizations utilizing PaperCut MF or NG are strongly advised to upgrade to versions 20.1.7, 21.2.11, and 22.0.9\r\nimmediately and later to fix these vulnerabilities.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-clop-and-lockbit-ransomware-behind-papercut-server-hacks/\r\nPage 3 of 4\n\nUpdate 4/27/28: The Clop ransomware operation confirmed to BleepingComputer that they were behind the attacks on\r\nPaperCut servers, which they started exploiting on April 13th.\r\nHowever, they said that they used the vulnerabilities for initial access to networks, rather than to steal documents from the\r\nserver itself.\r\nIn reply to our questions about the LockBit attacks, Microsoft said they had nothing further to share.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-clop-and-lockbit-ransomware-behind-papercut-server-hacks/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-clop-and-lockbit-ransomware-behind-papercut-server-hacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/microsoft-clop-and-lockbit-ransomware-behind-papercut-server-hacks/"
	],
	"report_names": [
		"microsoft-clop-and-lockbit-ransomware-behind-papercut-server-hacks"
	],
	"threat_actors": [
		{
			"id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7",
			"created_at": "2023-11-14T02:00:07.071699Z",
			"updated_at": "2026-04-10T02:00:03.440831Z",
			"deleted_at": null,
			"main_name": "DEV-0950",
			"aliases": [
				"Lace Tempest"
			],
			"source_name": "MISPGALAXY:DEV-0950",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6728f306-6259-4e7d-a4ea-59586d90a47d",
			"created_at": "2023-01-06T13:46:39.175292Z",
			"updated_at": "2026-04-10T02:00:03.236282Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"TEMP.Warlock",
				"UNC902"
			],
			"source_name": "MISPGALAXY:FIN11",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1db21349-11d6-4e57-805c-fb1e23a8acab",
			"created_at": "2022-10-25T16:07:23.630365Z",
			"updated_at": "2026-04-10T02:00:04.694622Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"Chubby Scorpius",
				"DEV-0950",
				"Lace Tempest",
				"Operation Cyclone"
			],
			"source_name": "ETDA:FIN11",
			"tools": [
				"AZORult",
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"BLUESTEAL",
				"Cl0p",
				"EMASTEAL",
				"FLOWERPIPE",
				"FORKBEARD",
				"FRIENDSPEAK",
				"FlawedAmmyy",
				"GazGolder",
				"Get2",
				"GetandGo",
				"JESTBOT",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MINEDOOR",
				"MIXLABEL",
				"Meterpreter",
				"NAILGUN",
				"POPFLASH",
				"PuffStealer",
				"Rultazo",
				"SALTLICK",
				"SCRAPMINT",
				"SHORTBENCH",
				"SLOWROLL",
				"SPOONBEARD",
				"TiniMet",
				"TinyMet",
				"VIDAR",
				"Vidar Stealer"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446566,
	"ts_updated_at": 1775792196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2db02dc0c6d3cc636687e33c780b3a753fee3c54.pdf",
		"text": "https://archive.orkl.eu/2db02dc0c6d3cc636687e33c780b3a753fee3c54.txt",
		"img": "https://archive.orkl.eu/2db02dc0c6d3cc636687e33c780b3a753fee3c54.jpg"
	}
}