The Clop ransomware group is targeting Gladinet CentreStack file servers in a new large-scale extortion campaign. The Clop ransomware group is targeting Gladinet CentreStack file servers in a new large-scale extortion campaign aimed at stealing sensitive data from organizations worldwide. Gladinet CentreStack is a software platform that allows organizations to turn their existing file servers, […] A visual of the temp handler pointing to t.dn, which can be disabled as a mitigation (Source Huntress) “Removing the line highlighted above will mitigate the vulnerability present until such time as a patch can be applied.” concludes the report. In early December, Barts Health NHS confirmed that Clop ransomware group stole data by exploiting zero-day CVE-2025-61882 in its Oracle E-Business Suite. The cybercrime group added the organization to its dark web data leak site and leaked the stolen information. The Clop ransomware gang has been also exploiting the critical Oracle EBS zero-day CVE-2025-61882 since early August, stealing sensitive data from numerous organizations worldwide, including Envoy Air, Harvard University, Washington Post, Logitech, University of Pennsylvania, and University of Phoenix. Clop (aka Cl0p) is a prolific Russian-speaking ransomware-as-a-service group specializing in big-game hunting and double-extortion. The Clop ransomware group first appeared on the threat landscape around February 2019, emerging from the TA505 cybercrime group, a financially motivated gang active since at least 2014. Like other Russia-based threat actors, Clop avoids targets in former Soviet countries and its malware can’t be activated on a computer that operates primarily in Russian. Operators and affiliates identify high-value targets, steal sensitive data, encrypt networks, then publish stolen files on data-leak sites to pressure victims into paying. Clop exploits zero-days and vulnerable third-party software (e.g., MOVEit, GoAnywhere, Oracle EBS), leverages initial-access brokers and automation, and uses sophisticated evasion and lateral-movement techniques to maximize impact and monetization. Clop’s victims include Shell, British Airways, Bombardier, University of Colorado, PwC, and the BBC. The group conducted major campaigns including: GoAnywhere MFT (2023): Targeted a flaw (CVE-2023-0669) to compromise over 130 organizations. MOVEit Transfer (2023): One of the largest ransomware campaigns in history, impacting hundreds of companies worldwide, including US and European firms, through an SQL injection zero-day (CVE-2023-34362). Accellion FTA (2020 2021): Exploited a zero-day in the file-transfer appliance to steal data from ~100 organizations. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, Gladinet CentreStack)
Published: 2025-12-19T11:48:37