{
	"id": "e41b04cd-752d-45e5-a1b2-2b98b0b919ed",
	"created_at": "2026-04-06T00:18:48.547182Z",
	"updated_at": "2026-04-10T13:12:21.645707Z",
	"deleted_at": null,
	"sha1_hash": "81382fb7d4154ec06e1453248c0c9911342be086",
	"title": "Cl0p in Your Network? Here's How to Find Out",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 677790,
	"plain_text": "Cl0p in Your Network? Here's How to Find Out\r\nBy Robert Lemos\r\nPublished: 2023-06-26 · Archived: 2026-04-05 23:33:11 UTC\r\n5 Min Read\r\nSource: Andrey Popov via Shutterstock\r\nWidespread attacks against companies and government agencies through a trio of zero-day vulnerabilities in the\r\nMOVEit Managed File Transfer platform has granted notoriety to the Cl0p ransomware group.\r\nThe list of affected data continues to grow, including personal data on millions of workers investing in the\r\nCalPERS pension fund, employee information from more than 100,000 workers at the BBC and British Airways,\r\nsensitive data from the US Department of Energy, and personal information on citizens of Nova Scotia.\r\nThe widespread impact of the attack speaks volumes of the group's technical capabilities, says Steve Povolny,\r\ndirector of security research at Exabeam, a cybersecurity and compliance services firm.\r\n\"The shift that I see with these large threat actors, especially the ransomware gangs, [is that] they're well-funded,\r\nthey're well-resourced, they have large organizations, and they're not just finding zero days on GitHub anymore,\"\r\nhttps://www.darkreading.com/dr-tech/cl0p-in-your-network-how-to-find-out\r\nPage 1 of 4\n\nhe says. \"These are careful, dedicated, planned attacks that are designed to be very quiet and then be very loud all\r\nat once.\"\r\nDetermining the technical indicators that indicate the adversary behind any attack is always tricky since tactics\r\nchange. The following indicators give organizations a starting point to investigate whether the Cl0p group has\r\nexploited the vulnerabilities in MOVEit file transfer utilities and may be in the network.\r\nThe MOVEit Attack: 'Human2' Fingerprint\r\nThe group behind Cl0p has used a number of vulnerabilities in file transfer services, such as GoAnywhere MFT in\r\nJanuary (CVE-2023-0669) and the MOVEit managed file transfer platforms in late May and early June (CVE-2023-34362).\r\nInitially, the attackers installed a Web shell, named LEMURLOOT, using the name \"human2.aspx\" and used\r\ncommands sent through HTTP requests with the header field set to \"X-siLock-Comment\". The advisory from the\r\nCybersecurity and Infrastructure Security Agency also includes four YARA rules for detecting a MOVEit breach.\r\nThe attack also leaves behind administrative accounts in associated databases for persistence — even if the Web\r\nserver has been completely reinstalled, the attackers can revive their compromise. Sessions in the \"activesessions\"\r\ndatabase with Timeout = '9999' or users in the User database with Permission = '30' and Deleted = '0' may indicate\r\nattacker activity, according to CrowdStrike.\r\nOne hallmark of the MOVEit attack, however, is that it typically leaves few technical indicators behind. The\r\nextended success of the Cl0p attack against MOVEit managed file transfer software and the difficulty in finding\r\nindicators of compromise show that product vendors need to spend additional effort on ensuring that forensically\r\nuseful logging is available, says Caitlin Condon, a security manager with vulnerability-management firm Rapid7.\r\nhttps://www.darkreading.com/dr-tech/cl0p-in-your-network-how-to-find-out\r\nPage 2 of 4\n\n\"There's a lot of tracks here — there's a lot to follow,\" she says. \"Often, in looking to remediate the vulnerability\r\nand eradicate threat-actor access, a lot of companies were completely wiping the application, and that also will\r\nwipe the evidence.\"\r\nSigns of Cl0p Ransomware\r\nAt some point during an attack, the Cl0p group will likely deploy ransomware of the same name. Originally, the\r\nmalware was installed via phishing attacks, but increasingly attacks have targeted large organizations, often with\r\nexploits for new or recent vulnerabilities in file transfer or management software.\r\nTypically, the group uses legitimate code-signing certificates to evade detection by security software. In the past,\r\nfor example, the Cl0p ransomware installer has used either a certificate from Corsair Software Solution Inc. dated\r\nFriday, Feb. 12, 2021, or one from Insite Software Inc. dated Friday, Dec. 25, 2020, according to a technical\r\nadvisory published by Palo Alto Networks.\r\nThe attackers will also stop several system processes, including those belonging to backup programs and security\r\nsolutions.\r\nFollowing execution, the Cl0p ransomware appends a variety of extensions to the victim's files, including .clop,\r\n.CIIp, .Cllp, and .C_L_O_P. Ideally, companies would want to detect the ransomware before the point files are\r\ndecrypted.\r\nAs with any technical indicators, static signatures are of limited use because attackers will often customize their\r\nmethods as a way to bypass detection based on fixed rules, according to cyberthreat experts.\r\nOther Signs: Truebot and Raspberry Robin\r\nOther common technical indicators of the Cl0p group are the ancillary tools they use to extend their compromise\r\nor alternative ways that they gain initial access.\r\nThe Truebot downloader, for example, is a popular intermediary payload that often leads to a Cl0p infection and is\r\nlinked to the Silence group. Truebot often leads to the installation of Cobalt Strike and/or the Grace downloader\r\nmalware, according to an analysis by Cisco's Talos group. For exfiltration, a custom tool known as Teleport is\r\ncommonly used as well.\r\nSilence has used a worm delivered through USB drives, known as Raspberry Robin, and sometimes through a\r\nthird-party pay-per-install service, according to Microsoft, which now tracks the group under its new taxonomy as\r\nLace Tempest. As of April, Microsoft noted that Raspberry Robin had been seen in nearly 1,000 organizations by\r\nalmost 3,000 devices, with Truebot and/or Cobalt Strike following soon after, as Lace Tempest attempted to\r\ncompromise more systems.\r\nRaspberry Robin infections can be stopped by using Group Policy or registry settings to prevent autorun or the\r\nexecution of code upon inserting a USB drive, according to Microsoft.\r\nFinally, companies should always look for signs that a large volume of data is being exfiltrated, especially to\r\ninfrastructure known to be used by the Cl0p group, says Mike Stokkel, a senior threat intelligence analyst in NCC\r\nhttps://www.darkreading.com/dr-tech/cl0p-in-your-network-how-to-find-out\r\nPage 3 of 4\n\nGroup's FOX-IT security-services group.\r\n\"Standard security measurements can already help by, for example, deploying [endpoint detection and response]\r\nsolutions on file transfer applications on a MOVEit system or a GoAnywhere system,\" he says. \"Using a network\r\nsensor and tracking outgoing outbound network traffic can also help. When you see 600 gigabytes going outside\r\nof your network, that's quite an anomaly.\"\r\nAbout the Author\r\nContributing Writer\r\nVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen\r\npublications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired\r\nNews. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the\r\nBlaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the\r\nshortage in cybersecurity workers and annual vulnerability trends.\r\nSource: https://www.darkreading.com/dr-tech/cl0p-in-your-network-how-to-find-out\r\nhttps://www.darkreading.com/dr-tech/cl0p-in-your-network-how-to-find-out\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.darkreading.com/dr-tech/cl0p-in-your-network-how-to-find-out"
	],
	"report_names": [
		"cl0p-in-your-network-how-to-find-out"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7",
			"created_at": "2023-11-14T02:00:07.071699Z",
			"updated_at": "2026-04-10T02:00:03.440831Z",
			"deleted_at": null,
			"main_name": "DEV-0950",
			"aliases": [
				"Lace Tempest"
			],
			"source_name": "MISPGALAXY:DEV-0950",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e8ebcbda-e8df-4a38-a2a6-63b2608ee6f3",
			"created_at": "2023-01-06T13:46:38.88051Z",
			"updated_at": "2026-04-10T02:00:03.131218Z",
			"deleted_at": null,
			"main_name": "Silence group",
			"aliases": [
				"WHISPER SPIDER"
			],
			"source_name": "MISPGALAXY:Silence group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1db21349-11d6-4e57-805c-fb1e23a8acab",
			"created_at": "2022-10-25T16:07:23.630365Z",
			"updated_at": "2026-04-10T02:00:04.694622Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"Chubby Scorpius",
				"DEV-0950",
				"Lace Tempest",
				"Operation Cyclone"
			],
			"source_name": "ETDA:FIN11",
			"tools": [
				"AZORult",
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"BLUESTEAL",
				"Cl0p",
				"EMASTEAL",
				"FLOWERPIPE",
				"FORKBEARD",
				"FRIENDSPEAK",
				"FlawedAmmyy",
				"GazGolder",
				"Get2",
				"GetandGo",
				"JESTBOT",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MINEDOOR",
				"MIXLABEL",
				"Meterpreter",
				"NAILGUN",
				"POPFLASH",
				"PuffStealer",
				"Rultazo",
				"SALTLICK",
				"SCRAPMINT",
				"SHORTBENCH",
				"SLOWROLL",
				"SPOONBEARD",
				"TiniMet",
				"TinyMet",
				"VIDAR",
				"Vidar Stealer"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434728,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/81382fb7d4154ec06e1453248c0c9911342be086.pdf",
		"text": "https://archive.orkl.eu/81382fb7d4154ec06e1453248c0c9911342be086.txt",
		"img": "https://archive.orkl.eu/81382fb7d4154ec06e1453248c0c9911342be086.jpg"
	}
}