MalwareExploits 3 CVEs

Clop ransomware

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

3 CVES

CVE-2025-61882Unauthenticated RCE in Oracle E-Business Suite Concurrent Processing BI Publisher IntegrationExploited in the wild

“Deploy Oct. 4, 2025 Security Alert patches for 9.8 CVE-2025-61882.”

via scworldscworld.com

CVE-2023-0669Pre-authentication RCE in Fortra GoAnywhere MFT License Response ServletExploited in the wild

In 2023, the notorious Clop ransomware gang exploited a zero-day vulnerability in GoAnywhere, tracked as CVE-2023-0669, to gain access to the sensitive data of Fortra customers.

via dark readingdarkreading.com

CVE-2021-35211RCE in SolarWinds Serv-U Managed File Transfer and Secure FTPExploited in the wild

"During multiple incident response investigations, NCC Group found that a vulnerable version of SolarWinds Serv-U server appeared to be the initial access used by TA505... The vulnerability being exploited is known as CVE-2021-35211."

via ncc group researchnccgroup.com

MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1190Exploit Public-Facing ApplicationEvidence2

The hackers — a well-known group whose favored malware emerged in 2019 — last week began exploiting a new flaw in a widely used file-transfer software known as MOVEit, appearing to target as many exposed organizations as they could.

T1566PhishingEvidence1

“FIN7 primarily targets… using: T1566 – Spearphishing (for credentials and credit card information)”

Execution

1 technique

T1204User ExecutionEvidence1

Annotations ID Technique Tactic T1204 User Execution Execution

Persistence

2 techniques

T1112Modify RegistryEvidence1

...registry key modification...

T1543Create or Modify System ProcessEvidence1

The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for specific service names ("SecurityCenterIBM", "WinCheckDRVs"). | This activity is significant because the creation of such services is a common tactic used by ransomware to maintain control over infected systems. If confirmed malicious, this could allow attackers to execute code with elevated privileges, maintain persistence, and potentially disrupt or encrypt critical data.

Privilege Escalation

1 technique

T1543Create or Modify System ProcessEvidence1

Stealth

3 techniques

T1070Indicator RemovalEvidence1

The following analytic identifies a process attempting to delete its own file path, a behavior often associated with defense evasion techniques.

T1070.001Clear Windows Event LogsEvidence1

This searches for wevtutil.exe with parameters for clearing the application, security, setup, powershell, sysmon, or system event logs.

T1070.004File DeletionEvidence1

...deleting of security logs...

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

...registry key modification...

Discovery

1 technique

T1135Network Share DiscoveryEvidence1

...including looking for file writes associated with Clope, encrypting network shares...

Exfiltration

4 techniques

T1041Exfiltration Over C2 ChannelEvidence1

Only limited localized data without sensitive or technical IT details had been exposed as a result of the intrusion... Clop previously leaked over 315 GB of archives purportedly obtained from the tire giant's systems.

T1048Exfiltration Over Alternative ProtocolEvidence1

...involve the use of ransomware payloads along with exfiltration of data... threaten deletion and exposure of exfiltrated data.

T1537Transfer Data to Cloud AccountEvidence1

A group of Russian-speaking cyber criminals has claimed credit for a sweeping hack that has compromised employee data at the BBC and British Airways...

T1567Exfiltration Over Web ServiceEvidence1

They’ve given victims until June 14 to discuss a ransom before they start publishing data from companies they claim to have hacked...

Impact

3 techniques

T1486Data Encrypted for ImpactEvidence5

The hackers, known as the CLOP ransomware gang...

T1490Inhibit System RecoveryEvidence1

...deleting and resizing shadow volume storage...

T1657Financial TheftEvidence1

The group has stated that it will start publishing content from those organizations that do not negotiate an extortion payment by June 21st.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

risky biz rssNews

Nov 5, 2025

Risky Bulletin: US indicts two rogue cybersecurity employees for ransomware attacks

Clop is a ransomware family used by the Clop gang to encrypt victim data and demand ransom payments, often employing double extortion tactics.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities3

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.