{ "id": "fd618cfd-1842-4ec8-9731-14d97c5e37c7", "created_at": "2026-04-15T02:23:46.571279Z", "updated_at": "2026-04-18T02:22:27.119499Z", "deleted_at": null, "sha1_hash": "951e2e1c9c8b0e90710558a63e23dd476ecd6892", "title": "Cl0p hacker operating from Russia-Ukraine war front line – exclusive", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48129, "plain_text": "Cl0p hacker operating from Russia-Ukraine war front line –\r\nexclusive\r\nPublished: 2023-07-12 · Archived: 2026-04-15 02:13:44 UTC\r\nAs the Cl0p ransomware gang continues to sow anxiety worldwide, affecting prominent companies like the\r\nBBC and Deutsche Bank, at least one of the gang’s masterminds, Cybernews discovered, is still residing in\r\nUkraine.\r\nDeutsche Bank, one of the world’s largest banks, is the latest victim of the Cl0p gang. The bank’s customer data\r\nwas leaked after hackers penetrated a third-party vendor, Majorel, by exploiting the MOVEit vulnerability.\r\nOther major banks in Europe, including Deutsche Bank-owned Postbank, ING Bank, and Comdirect, have also\r\nbeen affected.\r\nCl0p, which has a tendency to publicly name its victims in batches, has reportedly been sitting on the zero-day\r\nvulnerability for two years. As is quite common with malicious activity en masse, malicious hackers chose the\r\nMemorial Day weekend in the US (May 27th and 28th) for a “broad swath of activity.”\r\nBefore the MOVEit saga, which seems far from over, Cl0p enjoyed the spotlight by exploiting Fortra’s\r\nGoAnywhere vulnerability. Shell, Hitachi, Hatch Bank, Rubrik, Virgin, and many others are among its claimed\r\nvictims.\r\nCuriously, Shell has been affected by both the GoAnywhere and MOVEit flaws.\r\nCl0p, first observed in 2019, is quite old for a ransomware gang, given that they tend to regularly restructure and\r\nrebrand to throw law enforcement off track. The hacker group, also known by cyber pundits as Lace Tempest,\r\nDungeon Spider, is affiliated with Russia.\r\nIn June 2021, Ukrainian law enforcement, in collaboration with US and South Korean officials, arrested six Cl0p\r\nmembers and dismantled the gang’s infrastructure. At the time, the group was accused of causing damage\r\namounting to $500 million.\r\nThe arrests forced the gang to shut down its operations for a short period of three to four months in 2021-2022.\r\nUnfortunately, the gang has been steadily recovering. As a matter of fact, according to dark web intelligence\r\nplatform, DarkFeed, Cl0p, with 361 victims and counting, is now among the three most active ransomware\r\ngroups, leaving such infamous gangs like Revil and Vice Society far behind.\r\nNew evidence points to the fact that the Russia-affiliated gang still operates from Ukraine.\r\nCybernews has received a new batch of evidence that one of the Cl0p ransomware strain developers is at large in\r\nthe city of Kramatorsk in Eastern Ukraine, on the front line of the Russia-Ukraine war.\r\nhttps://cybernews.com/security/cl0p-hacker-hides-in-ukraine/\r\nPage 1 of 2\n\nA security researcher, who was vetted by Cybernews and asked not to be named in the article, looked up one of\r\nthe Cl0p’s developers on the dark web, and contacted them via a well-known communication channel.\r\nBecause of a flaw in the platform – we’re choosing not to name it to avoid giving you any naughty ideas – our\r\nanonymous hacker was able to extract the Cl0p developer’s internet protocol (IP) address pointing us directly to\r\ntheir location in Kramatorsk.\r\nKramatorsk is a city in Eastern Europe that Russia has been trying to tear off Ukraine since the annexation of\r\nCrimea, a Ukrainian peninsula, in 2014. Just days before the NATO Summit in Lithuania, where Ukraine’s\r\npresident Volodymyr Zelensky heard more promises of accelerating Ukraine’s admission to NATO, the Kremlin\r\ntook a deadly strike on Kramatorsk, killing three children, among other people.\r\nSource: https://cybernews.com/security/cl0p-hacker-hides-in-ukraine/\r\nhttps://cybernews.com/security/cl0p-hacker-hides-in-ukraine/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://cybernews.com/security/cl0p-hacker-hides-in-ukraine/" ], "report_names": [ "cl0p-hacker-hides-in-ukraine" ], "threat_actors": [ { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-18T02:00:03.751764Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-18T02:00:04.809121Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-18T02:00:05.049203Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "aa8d7ec6-128a-41b9-8cdc-01ad8843020f", "created_at": "2022-10-25T16:07:24.485077Z", "updated_at": "2026-04-18T02:00:05.375695Z", "deleted_at": null, "main_name": "Dungeon Spider", "aliases": [], "source_name": "ETDA:Dungeon Spider", "tools": [ "Locky" ], "source_id": "ETDA", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-18T02:00:03.870827Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6898c5bc-48af-4e38-917b-f9f0a41d0ee2", "created_at": "2023-01-06T13:46:39.00984Z", "updated_at": "2026-04-18T02:00:03.471008Z", "deleted_at": null, "main_name": "DUNGEON SPIDER", "aliases": [], "source_name": "MISPGALAXY:DUNGEON SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1776219826, "ts_updated_at": 1776478947, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/951e2e1c9c8b0e90710558a63e23dd476ecd6892.pdf", "text": "https://archive.orkl.eu/951e2e1c9c8b0e90710558a63e23dd476ecd6892.txt", "img": "https://archive.orkl.eu/951e2e1c9c8b0e90710558a63e23dd476ecd6892.jpg" } }