{
	"id": "182fb66d-00bf-4845-a134-ba541d6d3deb",
	"created_at": "2026-04-06T00:19:00.807861Z",
	"updated_at": "2026-04-10T13:12:58.459088Z",
	"deleted_at": null,
	"sha1_hash": "6935fe4ffe49aac4868ea8dc8370f5bc7a096762",
	"title": "Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3893884,
	"plain_text": "Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day\r\nBy Sergiu Gatlan\r\nPublished: 2023-02-10 · Archived: 2026-04-05 13:51:01 UTC\r\nThe Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere\r\nMFT secure file transfer tool, saying they stole data from over 130 organizations.\r\nThe security flaw, now tracked as CVE-2023-0669, enables attackers to gain remote code execution on unpatched\r\nGoAnywhere MFT instances with their administrative console exposed to Internet access.\r\nClop reached out to BleepingComputer and told us that they had allegedly stolen the data over the course of ten days after\r\nbreaching servers vulnerable to exploits targeting this bug.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThey also claimed that they could move laterally through their victims’ networks and deploy ransomware payloads to\r\nencrypt their systems but decided against it and only stole the documents stored on the compromised GoAnywhere MFT\r\nservers.\r\nThe gang refused to provide proof or share additional details regarding their claims when BleepingComputer asked them\r\nwhen the attacks began, if they'd already started extorting their victims, and what ransoms they were asking for.\r\nBleepingComputer could not independently confirm Clop's claims, and Fortra has not replied to emails asking for more info\r\nregarding CVE-2023-0669 exploitation and the ransomware group's allegations.\r\nHowever, Huntress Threat Intelligence Manager Joe Slowik linked the GoAnywhere MFT attacks to TA505, a threat group\r\nknown for deploying Clop ransomware in the past, while investigating an attack where the TrueBot malware downloader\r\nwas deployed.\r\n\"While links are not authoritative, analysis of Truebot activity and deployment mechanisms indicate links to a group referred\r\nto as TA505. Distributors of a ransomware family referred to as Clop, reporting from various entities links Silence/Truebot\r\nactivity to TA505 operations,\" Slowik said.\r\n\"Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress\r\nobserved was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT\r\ntaking place for the same purpose.\"\r\nActively exploited flaw in secure file transfer tool\r\nGoAnywhere MFT's developer Fortra (formerly known as HelpSystems) disclosed to its customers last week that the\r\nvulnerability was being exploited as a zero-day in the wild.\r\nOn Monday, a proof-of-concept exploit was also released online, allowing unauthenticated remote code execution on\r\nvulnerable servers.\r\nThe company issued emergency security updates the next day to allow customers to secure their servers from incoming\r\nattack attempts.\r\nSince then, Fortra has published another update on its support website (accessible only after logging in with a user account)\r\non Thursday, saying that some of its MFTaaS instances were also breached in the attacks.\r\n\"We have determined that an unauthorized party accessed the systems via a previously unknown exploit and created\r\nunauthorized user accounts,\" Fortra said.\r\n\"As part of our actions to address this and out of an abundance of caution, we have implemented a temporary service outage.\r\nService continues to be restored on a customer-by-customer basis as mitigation is applied and verified within each\r\nenvironment.\r\n\"We are working directly with customers to assess their individual potential impact, apply mitigations, and restore systems.\"\r\nCISA also added the CVE-2023-0669 GoAnywhere MFT vulnerability to its  Known Exploited Vulnerabilities Catalog on\r\nFriday, ordering federal agencies to patch their systems within the next three weeks, until March 3rd.\r\nWhile Shodan shows that over 1,000 GoAnywhere instances are exposed online, only 135 are on ports 8000 and 8001 (the\r\nones used by the vulnerable admin console).\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day/\r\nPage 3 of 5\n\nInternet-exposed GoAnywhere MFT appliances (Shodan)\r\nClop's Accellion extortion attacks\r\nClop's alleged use of the GoAnywhere MFT zero-day to steal data is a very similar tactic to the one they used in December\r\n2020, when they discovered and exploited an Accellion FTA zero-day vulnerability to steal the data of approximately 100\r\ncompanies.\r\nAt the time, companies were receiving emails demanding $10 million ransom payments to avoid having their data publicly\r\nleaked.\r\nIn the 2020 Accellion attacks, Clop's operators stole large amounts of data from high-profile companies using Accellion's\r\nlegacy File Transfer Appliance (FTA).\r\nOrganizations that had their servers hacked by Clop include, among others, energy giant Shell, supermarket giant Kroger,\r\ncybersecurity firm Qualys, and multiple universities worldwide (e.g., Stanford Medicine, University of Colorado, University\r\nof Miami, University of Maryland Baltimore (UMB), and the University of California).\r\nIn June 2021, some of Clop's infrastructure was shut down following an international law enforcement operation codenamed\r\nOperation Cyclone when six money launderers who provided services to the Clop ransomware gang were arrested in\r\nUkraine.\r\nThe gang has also been linked to ransomware attacks worldwide since at least 2019. Some victims that had their servers\r\nencrypted by Clop include Maastricht University, Software AG IT, ExecuPharm, and Indiabulls.\r\nUpdate February 10, 15:25 EST: Added a section showing that Huntress made a between GoAnywhere MFT attacks and\r\nthreat actors known for deploying Clop ransomware.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day/\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day/"
	],
	"report_names": [
		"clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1db21349-11d6-4e57-805c-fb1e23a8acab",
			"created_at": "2022-10-25T16:07:23.630365Z",
			"updated_at": "2026-04-10T02:00:04.694622Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"Chubby Scorpius",
				"DEV-0950",
				"Lace Tempest",
				"Operation Cyclone"
			],
			"source_name": "ETDA:FIN11",
			"tools": [
				"AZORult",
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"BLUESTEAL",
				"Cl0p",
				"EMASTEAL",
				"FLOWERPIPE",
				"FORKBEARD",
				"FRIENDSPEAK",
				"FlawedAmmyy",
				"GazGolder",
				"Get2",
				"GetandGo",
				"JESTBOT",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MINEDOOR",
				"MIXLABEL",
				"Meterpreter",
				"NAILGUN",
				"POPFLASH",
				"PuffStealer",
				"Rultazo",
				"SALTLICK",
				"SCRAPMINT",
				"SHORTBENCH",
				"SLOWROLL",
				"SPOONBEARD",
				"TiniMet",
				"TinyMet",
				"VIDAR",
				"Vidar Stealer"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434740,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6935fe4ffe49aac4868ea8dc8370f5bc7a096762.pdf",
		"text": "https://archive.orkl.eu/6935fe4ffe49aac4868ea8dc8370f5bc7a096762.txt",
		"img": "https://archive.orkl.eu/6935fe4ffe49aac4868ea8dc8370f5bc7a096762.jpg"
	}
}