Skip to main content
Mallory
Back to threat actors
Financially Motivated6 malware familiesExploits CVEs in the wild

Lace Tempest

Also known asDEV-0950Lace Tempest

Lace Tempest is a financially motivated threat actor tracked by Microsoft as DEV-0950 and associated with the Cl0p/Clop ransomware operation. Microsoft states its activity overlaps with FIN11 and TA505. The group has been linked to data theft, extortion, and ransomware activity, including operation of the Clop extortion site. Based on the provided content, Lace Tempest has exploited multiple high-profile enterprise software vulnerabilities for initial access and follow-on intrusion activity. In April 2023, exploitation of PaperCut NG/MF CVE-2023-27351 was attributed to Lace Tempest, and the group used the vulnerability in campaigns delivering Cl0p and LockBit ransomware. Microsoft assessed the actor began exploiting PaperCut vulnerabilities around April 13, 2023 for initial access, then deployed TrueBot, followed by Cobalt Strike for lateral movement, and used MegaSync for data theft. Some PaperCut intrusions led to LockBit ransomware deployment. Microsoft also attributed the MOVEit Transfer zero-day attacks involving CVE-2023-34362 to Lace Tempest. The content describes the actor as previously linked to Cl0p ransomware, data theft, and extortion attacks, and notes overlap with TA505 and FIN11. The broader campaign involved theft of data from compromised MOVEit environments and extortion pressure via the Clop leak/extortion ecosystem. In late 2023, Lace Tempest/DEV-0950 exploited the SysAid on-premise zero-day CVE-2023-47246. The group uploaded a web shell and additional payloads into the webroot of the SysAid Tomcat web service, gaining unauthorized access and control of affected systems. Microsoft further observed Lace Tempest issuing commands via SysAid software to deliver a malware loader. The content also notes that Gracewire malware is typically affiliated with Lace Tempest, and that Sangria Tempest has cooperated with Lace Tempest in past intrusions. Known aliases and related tracking names mentioned in the content include DEV-0950, FIN11, and TA505.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

17 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics25 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1078
Valid Accounts
T1133
External Remote Services
T1190×8
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
TA0003
Persistence
3 techniques
T1078
Valid Accounts
T1133
External Remote Services
T1505
Server Software Component
T1505.003×3
Web Shell
TA0004
Privilege Escalation
3 techniques
T1068
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1548
Abuse Elevation Control Mechanism
T1548.002
Bypass User Account Control
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0006
Credential Access
1 technique
T1649
Steal or Forge Authentication Certificates
TA0009
Collection
2 techniques
T1074
Data Staged
T1213×4
Data from Information Repositories
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1105
Ingress Tool Transfer
TA0010
Exfiltration
2 techniques
T1041
Exfiltration Over C2 Channel
T1567×3
Exfiltration Over Web Service
T1567.002×2
Exfiltration to Cloud Storage
TA0040
Impact
2 techniques
T1486×2
Data Encrypted for Impact
T1657×2
Financial Theft
ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ClopMicrosoft has linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations.8May 26, 2026
LockBitThe vulnerability was attributed to Lace Tempest, a Cl0p ransomware affiliate, in April 2023, used in campaigns delivering Cl0p and LockBit ransomware payloads.2Apr 21, 2026
Cobalt StrikeUltimately, Microsoft says a Cobalt Strike beacon was deployed and used to spread laterally through the network while stealing data...1Mar 18, 2026
LemurlootAttackers have exploited the SQLi vulnerability to deploy a custom ASP.NET web shell (LEMURLOOT) to achieve persistence on victim networks to allow for further attack.1Mar 18, 2026
Lizar...deploy the Lizar post-exploitation tool on compromised devices. This allowed the threat actors to gain a foothold within the targeted network and move laterally to deploy Clop ransomware...1Mar 18, 2026

1 additional family tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.

CVE-2023-34362SQL Injection in Progress MOVEit TransferIn the wildEvidence5

June 2 The actively exploited vulnerability was assigned CVE-2023-34362 with a severity rating of 9.8 out of 10.

CVE-2023-27351Authentication Bypass in PaperCut NG/MF SecurityRequestFilterIn the wildEvidence3

CVE-2023-27351 — PaperCut NG/MF | Improper Authentication | CVSS 8.2 An improper authentication flaw in PaperCut NG/MF that allows attackers to bypass authentication via the SecurityRequestFilter class. This is not a new discovery — exploitation has been confirmed in the wild since early 2023. The vulnerability was attributed to Lace Tempest, a Cl0p ransomware affiliate, in April 2023, used in campaigns delivering Cl0p and LockBit ransomware payloads.

CVE-2023-27350Unauthenticated Authentication Bypass and RCE in PaperCut MF/NGIn the wildEvidence1

Two vulnerabilities were fixed in the PaperCut Application Server that allows remote attackers to perform unauthenticated remote code execution and information disclosure: CVE-2023–27350 ... Unauthenticated remote code execution flaw impacting all PaperCut MF or NG versions 8.0 or later... PaperCut disclosed that these flaws were actively exploited in the wild... A PoC exploit for the RCE flaw was released... Microsoft ... attributed the recent PaperCut attacks to the Clop and LockBit ransomware operations.

CVE-2023-47246SysAid On-Premise Path Traversal to Code ExecutionIn the wildEvidence1

A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
thecyberexpress com vulnerabilitiesNews
Apr 21, 2026
CISA Adds 8 Flaws To KEV Catalog, Cisco Catalyst Included

Linked to exploitation of CVE-2023-27351 to deploy Cl0p and LockBit ransomware.

Read more
cyberthroneNews
Apr 21, 2026
CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog - TheCyberThrone

Attributed with exploiting CVE-2023-27351 in PaperCut NG/MF in campaigns delivering Cl0p and LockBit ransomware payloads.

Read more
the hacker newsNews
Oct 24, 2024
New Qilin.B Ransomware Variant Emerges with Improved Encryption and Evasion Tactics

Named ransomware gang reported (by Microsoft data context) as known for targeting hospitals/healthcare organizations.

Read more
splunk researchNews
Nov 9, 2023
Analytics Story: SysAid On-Prem Software CVE-2023-47246 Vulnerability | Splunk Security Content

Exploited the SysAid on-premise software zero-day CVE-2023-47246 to upload a web shell and additional payloads into the SysAid Tomcat web service webroot, enabling unauthorized access and control of affected systems.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping17

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs4

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.