3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Cl0p

Cl0p

ID: e5ae61159b88ad01b6af770ffc94d07d60709
Darkweb Market/Service RaaS Program
Threat types: Ransomware, Intrusion, Data Leak, Extortion
Russia USA
Updated: 2026-03-14
Created: 2025-10-20
Progress: 85% Completeness: 92% Freshness: 70%
Operation zone: United States
Aliases Limited alias preview
Cl0p Ransomware Cl0p Ransomware Group C***** c***
Showing 2 of 4 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Cl0p is a cybercrime extortion brand commonly linked in public reporting to the TA505/FIN11 ecosystem, notable for mass exploitation of enterprise MFT platforms to enable data theft and leak-site coercion.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2023-06-07 — Exploitation of a public-facing application (MOVEit Transfer CVE-2023-34362) described as initial access vector for CL0P data theft campaign. · ref
  • 2024-12-10 — Cleo product vulnerabilities (CVE-2024-50623) described by vendor; public reporting links exploitation to extortion campaigns under the CL0P brand. · ref
T1505.003 Web Shell TA0003
  • 2023-06-07 — Web shell deployment (LEMURLOOT / human2.aspx patterns) referenced in MOVEit exploitation reporting. · ref
T1059.001 PowerShell TA0002
  • 2023-06-07 — PowerShell use is described in ATT&CK mapping and detection guidance within government reporting for CL0P-associated tradecraft. · ref
  • 2025-01-06 — INFERENCE (confidence: medium): Post-exploitation activity against MFT platforms often includes PowerShell-based execution/staging; Cleo exploitation reporting highlights command execution paths. · ref
T1059.003 Windows Command Shell TA0002
  • 2023-06-07 — Windows command shell usage appears in ATT&CK mappings and operational descriptions for CL0P-related campaigns. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2023-06-07 — Exfiltration over C2 channel is mapped in government reporting; campaign emphasis is data theft and exfiltration from MFT systems. · ref
T1070 Indicator Removal TA0005
  • 2025-10-01 — INFERENCE (confidence: medium): Ransomware/extortion intrusions commonly include artifact/log cleanup; vendor reporting describes attempts to delete logs/backups in some Clop-related narratives. · ref
T1486 Data Encrypted for Impact TA0040
  • 2023-07-21 — INFERENCE (confidence: medium): Some reporting states MOVEit wave focused on data theft without confirmed encryption; Clop still historically operates as ransomware and may encrypt selectively. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-23T04:57:19+00:00

Cl0p — RaaS brand / mass data-extortion via managed file transfer (MFT) exploitation

Classification: TLP:WHITE — Open Source Intelligence (OSINT)

Category: Cybercrime / Ransomware & Extortion — Origin: INFERENCE (confidence: high): Russian-speaking ecosystem

Author: iQBlack CTI Team



Executive Summary

Cl0p (also stylized as CL0P / Clop) is a long-running ransomware-and-extortion brand commonly linked in public reporting to the TA505/FIN11 criminal ecosystem. The brand is notable for combining classic “big game hunting” intrusion playbooks with periodic, high-scale supply-chain style data-theft waves driven by exploitation of managed file transfer (MFT) products. The most widely documented mass exploitation wave was the 2023 MOVEit Transfer campaign, where the actor leveraged a SQL injection vulnerability (CVE-2023-34362) and deployed a web shell commonly referenced as LEMURLOOT to exfiltrate data.

A recurring strategic characteristic is the actor’s preference for extortion leverage based on data theft and public exposure, including operating or advertising a Tor-hosted leak site (“name-and-shame”), and in at least one phase, publishing stolen data via torrent-based distribution mechanisms. In several campaigns, public reporting indicates encryption may be absent or secondary to data-theft-driven coercion.

From a defender perspective, Cl0p is best modeled as an ecosystem actor with two operating modes: (1) affiliate-style intrusions that look like mainstream ransomware operations (initial access brokers, phishing, loaders, lateral movement); and (2) opportunistic mass exploitation where the compromised component is the MFT application itself, and the actor may not require full domain-wide lateral movement to achieve monetization.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Cl0p


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Cl0p (TA505 / FIN11‑linked data‑theft extortion & selective ransomware)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-23T05:01:55+00:00

IOC Appendix (TLP:WHITE) — Cl0p


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-23T05:02:11+00:00

OSINT Library — Cl0p


2023-06-07 — CISA / FBI (#StopRansomware) — ““AA23-158A: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability””

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/21
Address Verification SOCMINT
su*****@pubstorm.com Restricted Not integrated
su*****@pubstorm.net Restricted Not integrated
un****@rsv-box.com Restricted Not integrated
un****@support-mult.com Restricted Not integrated
un****@he1p-me.com Restricted Not integrated
un****@cl-leaks.com Restricted Not integrated
su*****@he1p-center.com Restricted Not integrated
un****@goto-pay.com Restricted Not integrated
su*****@in2pay.com Restricted Not integrated
Address Verification SOCMINT
ekbgzchl6x2ias37.onion Restricted Not integrated
santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion Restricted Not integrated
3ws3t4uo7fehnn4qpmadk3zjrxta5xlt3gsc5mx4sztrsy7ficuz5ayd.onion Restricted Not integrated
amnwxasjtjc6e42siac6t45mhbkgtycrx5krv7sf5festvqxmnchuayd.onion Restricted Not integrated
qahjimrublt35jlv4teesicrw6zhpwhkb6nhtonwxuqafmjhr7hax2id.onion Restricted Not integrated
npkoxkuygikbkpuf5yxte66um727wmdo2jtpg2djhb2e224i4r25v7ad.onion Restricted Not integrated
6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd.onion Restricted Not integrated
l4rdimrqyonulqjttebry4t6wuzgjv5m62rnpjho3q22a6maf6d5evyd.onion Restricted Not integrated
frgp3f3u2ddafv4ny7tqn6tc674m6fyymyywoaxot7xskbjmiyhhsyqd.onion Restricted Not integrated
htmxyptur5wfjrd7uvg23snupub2pbtlfelk45n37b3augl2w4eearid.onion Restricted Not integrated
2vi357dgf4246nvrcsavrt5jsrm7pfqim4t2n3ykzedjim5bzqezmlyd.onion Restricted Not integrated
toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad.onion Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–2 of 2 images
HOME | CL0P^_- LEAKS Free Preview
HOME | CL0P^_- LEAKS
HOME | CL0P^_- LEAKS Free Preview
HOME | CL0P^_- LEAKS