{ "id": "f1cf9375-1cde-4c5f-bc01-99cda8d27105", "created_at": "2026-04-06T00:13:13.392315Z", "updated_at": "2026-04-10T03:36:37.187279Z", "deleted_at": null, "sha1_hash": "4ea69318d78a69789cb8e098eb6b89ff1e036274", "title": "Clop ransomware claims responsibility for Cleo data theft attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2480036, "plain_text": "Clop ransomware claims responsibility for Cleo data theft attacks\r\nBy Lawrence Abrams\r\nPublished: 2024-12-15 · Archived: 2026-04-05 21:58:02 UTC\r\n12/16/24 update: Article updated to include new information about Cleo CVE-2024-50623 and CVE-2024-55956 flaws.\r\nThe Clop ransomware gang has confirmed to BleepingComputer that they are behind the recent Cleo data-theft attacks,\r\nutilizing zero-day exploits tracked as CVE-2024-50623 and CVE-2024-55956 to breach corporate networks and steal data.\r\nCleo is the developer of the managed file transfer platforms Cleo Harmony, VLTrader, and LexiCom, which companies use\r\nto securely exchange files between their business partners and customers.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe Cleo zero-days\r\nIn October, Cleo disclosed a vulnerability tracked as CVE-2024-50623 that allowed unrestricted file uploads and downloads,\r\nleading to remote code execution. This flaw was fixed in Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21.\r\nAt the time, Cleo released a private advisory behind a support site login that warned that the vulnerability was exploited to\r\nopen a reverse shell back to the threat actors, giving them remote access to the compromised device.\r\n\"This vulnerability has been leveraged to install malicious backdoor code on certain Cleo Harmony, VLTrader, and LexiCom\r\ninstances in the form of a malicious Freemarker template containing server-side JavaScript,\" explained the advisory.\r\nHowever, the attacks didn't get widespread attention until cybersecurity firm Huntress warned last week that the Cleo\r\nplatforms were again being exploited in data theft attacks using a zero-day vulnerability.\r\n\"Although Cleo published an update and advisory for CVE-2024-50623—which allows unauthenticated remote code\r\nexecution—Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the\r\nsoftware flaw,\" reads Huntress' advisory.\r\nThe new vulnerability used in the December attacks is now tracked as CVE-2024-55956 and is fixed in Cleo Harmony,\r\nVLTrader, and LexiCom 5.8.0.24.\r\nWhile exploiting this vulnerability, the threat actors uploaded a JAVA backdoor dubbed \"Malichus\" that allows attackers to\r\nsteal data, execute commands, and gain further access to the compromised network.\r\nOn Friday, CISA confirmed that the critical CVE-2024-50623 security vulnerability in Cleo Harmony, VLTrader, and\r\nLexiCom file transfer software has been exploited in ransomware attacks but did not share any additional details.\r\nRapid7 has now confirmed that CVE-2024-55956 is not a patch bypass of CVE-2024-50623, as they exploit separate issues\r\nin a Cleo endpoint.\r\n\"Both CVE-2024-50623 and CVE-2024-55956 are unauthenticated file write vulnerabilities, due to separate issues in\r\nthe /Synchronization endpoint,\" reads Rapid7's report.\r\n\"Therefore CVE-2024-55956 is not a patch bypass of CVE-2024-50623, but rather a new vulnerability. It is also worth\r\nhighlighting that while CVE-2024-50623 allows for both reading and writing arbitrary files, CVE-2024-55956 only allows\r\nfor writing arbitrary files.\"\r\nClop claims responsibility for Cleo data theft attacks\r\nIt was previously thought that the Cleo attacks were conducted by a new ransomware gang named Termite. However, the\r\nCleo data theft attacks tracked more closely to previous attacks conducted by the Clop ransomware gang.\r\nAfter contacting Clop on Tuesday, the ransomware gang confirmed to BleepingComputer that they are behind the recent\r\nexploitation of the Cleo CVE-2024-55956 vulnerability detected by Huntress as well as the exploitation of the original\r\nCVE-2024-50623 flaw fixed in October.\r\n\"As for CLEO, it was our project (including the previous cleo) - which was successfully completed.\r\nAll the information that we store, when working with it, we observe all security measures. If the data is government\r\nservices, institutions, medicine, then we will immediately delete this data without hesitation (let me remind you about the\r\nlast time when it was with moveit - all government data, medicine, clinics, data of scientific research at the state level were\r\ndeleted), we comply with our regulations.\r\nwith love © CL0P^_\"\r\n❖ Clop told BleepingComputer\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/\r\nPage 3 of 5\n\nWhen asked how many companies were impacted, Clop told BleepingComputer after publication of this story that they\r\ncannot say for sure, but \"quite a lot\".\r\nThe extortion gang has now announced that they are deleting data associated with past attacks from their data leak server\r\nand will only work with new companies breached in the Cleo attacks.\r\n\"Dear companies, Due to recent events (attack of CLEO) all links to data of all companies will be disabled and data will be\r\npermanently deleted from servers. We will work only with new companies,\" reads a new message on the gang's CL0P^_-\r\nLEAKS extortion site.\r\n\"Happy New Year © CL0P^_ all of the victims from their data leak site.\"\r\nMessage on the CL0P^_- LEAKS extortion site\r\nSource: BleepingComputer\r\nMost of the data currently archived on the Clop data leak site is for companies breached in the massive MOVEit Transfer\r\ndata theft attacks that occured over the 2023 Memorial Day holiday in the US.\r\nBleepingComputer asked Clop when the attacks began and if Clop was affiliated with the Termite ransomware gang, but did\r\nnot receive a response to these questions.\r\nBleepingComputer also contacted Cleo on Friday to confirm if Clop was behind the exploitation of the vulnerabilities but\r\ndid not receive a response.\r\nSpecializing in exploit file transfer platforms\r\nThe Clop ransomware gang, aka TA505 and Cl0p, launched in March 2019, when it first began targeting the enterprise using\r\na variant of the CryptoMix ransomware.\r\nLike other ransomware gangs, Clop breached corporate networks and slowly spread laterally through its systems while\r\nstealing data and documents. When they have harvested everything of value, they deployed ransomware on the network to\r\nencrypt its devices.\r\nHowever, since 2020, the ransomware gang has specialized in targeting previously unknown vulnerabilities in secure file\r\ntransfer platforms for data theft attacks.\r\nIn December 2020, Clop exploited a zero-day in the Accellion FTA secure file transfer platform, which impacted nearly one\r\nhundred organizations.\r\nThen in 2021, the ransomware gang exploited a zero-day in SolarWinds Serv-U FTP software to steal data and breach\r\nnetworks.\r\nIn 2023, Clop exploited a zero-day in the GoAnywhere MFT platform, allowing the ransomware gang to steal data from\r\nover 100 companies again.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/\r\nPage 4 of 5\n\nHowever, their most significant attack of this kind was using a zero-day in the MOVEit Transfer platform that allowed them\r\nto steal data from 2,773 organizations, according to a report by Emsisoft.\r\nAt this time, it is not clear how many companies have been impacted by the Cleo data theft attacks, and BleepingComputer\r\ndoes not know of any companies who have confirmed being breached through the platform.\r\nThe U.S. State Department's Rewards for Justice program currently has a $10 million bounty for information linking the\r\nClop ransomware attacks to a foreign government.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/" ], "report_names": [ "clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434393, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4ea69318d78a69789cb8e098eb6b89ff1e036274.pdf", "text": "https://archive.orkl.eu/4ea69318d78a69789cb8e098eb6b89ff1e036274.txt", "img": "https://archive.orkl.eu/4ea69318d78a69789cb8e098eb6b89ff1e036274.jpg" } }