1. Executive Summary
Cl0p (often written “CL0P”) is a financially motivated extortion operation best known for high-scale data theft campaigns that disproportionately impact organisations running internet-facing Managed File Transfer (MFT) platforms. Public reporting and government advisories describe Cl0p’s hallmark as mass exploitation of vulnerabilities in widely deployed file transfer products—followed by rapid data exfiltration and coercion via a leak site—rather than “encrypt-everything” ransomware deployment in every intrusion. In the MOVEit Transfer campaign, CISA’s #StopRansomware advisory and Mandiant reporting describe exploitation beginning in late May 2023, web shell deployment, and data theft at scale. Mandiant later assessed the MOVEit activity as overlapping with its FIN11 tracking (historically associated with extortion and monetisation operations), reflecting the broader reality that “Cl0p” is often an operational brand intersecting with established eCrime clusters.
Sources: CISA #StopRansomware advisory (AA23-158A) landing page, Mandiant analysis of MOVEit exploitation and attribution update, Canadian Centre for Cyber Security profile linking TA505/CL0P
2. Contextual Background
2.1 Nature of the threat
Cl0p’s recent activity is dominated by centralised “data-broker” compromises: rather than targeting a single endpoint fleet, the actor targets platforms that sit at the centre of business-to-business file exchange, where one compromise can expose many organisations’ regulated or commercially sensitive datasets.
Key vulnerability clusters associated with Cl0p-style campaigns (public reporting)
- MOVEit Transfer — CVE-2023-34362 (SQL injection): Exploited as a zero-day in late May 2023, with post-exploitation web shells and rapid data theft described by Mandiant and referenced by CISA guidance.
Links: Progress advisory for MOVEit Transfer (CVE-2023-34362) and NVD.
Additional technical reporting: Mandiant MOVEit exploitation details. - GoAnywhere MFT — CVE-2023-0669: Public vendor communications describe incident response actions around this vulnerability, widely linked in industry reporting to the Cl0p extortion ecosystem.
Links: Fortra investigation summary (CVE-2023-0669) and NVD. - Cleo Harmony / VLTrader / LexiCom — CVE-2024-50623 and CVE-2024-55956: Cleo issued advisories and security updates; Rapid7 published incident-driven reporting describing exploitation, post-exploitation tooling, and network indicators.
Links: Cleo advisory for CVE-2024-50623 and NVD; Cleo security update for CVE-2024-55956 and NVD; Rapid7 incident reporting on Cleo exploitation and follow-on malware.
Operational implication: defenders should treat internet-facing MFT as “blast-radius amplifiers”. An intrusion can convert into multi-party breach notifications and downstream regulatory exposure even if your own environment was not directly exploited.
2.2 Threat-actor attribution (if any)
Public reporting commonly associates Cl0p with broader eCrime tracking clusters including TA505 and FIN11, though naming conventions vary by vendor and not every “Cl0p-branded” event can be cleanly mapped to a single operator set using open sources alone. Mandiant’s MOVEit reporting explicitly describes an attribution update, merging initial tracking into FIN11 based on overlaps (including targeting and leak-site links). The Canadian Centre for Cyber Security also discusses the TA505/CL0P relationship in its profile write-up.
Confidence (Admiralty/NATO-style): Likely — consistent multi-source reporting supports the association, but the ecosystem may include affiliates and shared infrastructure, limiting certainty for every incident without privileged telemetry.
Sources: Mandiant attribution update in MOVEit reporting, Canadian Centre for Cyber Security profile, MITRE ATT&CK TA505 (G0092) overview
2.3 Sector and geographic targeting
Cl0p’s highest-impact campaigns are those where MFT sits on critical business workflows (HR/payroll, finance, customer communications, regulated data exchange, supply chain). Mandiant’s MOVEit write-up notes victim organisations across multiple industries and geographies and explicitly cautions the impact is likely broader than observed in its engagements. In the UK context, NCSC published guidance during the MOVEit incident due to the scale of data exposure and third-party breach implications.
Sources: Mandiant MOVEit campaign scope commentary, NCSC guidance on MOVEit vulnerability and incident
3. Technical Analysis
3.1 TTPs mapped to MITRE ATT&CK
Below is a consolidated view of behaviours repeatedly described across government/vendor/IR reporting for Cl0p-style MFT exploitation campaigns.
- Exploit Public-Facing Application — T1190
Observed in MOVEit exploitation (CVE-2023-34362) and described across later MFT vulnerability waves.
Sources: Progress MOVEit advisory, Mandiant MOVEit exploitation details - Server Software Component: Web Shell — T1505.003
Mandiant describes a “LEMURLOOT” web shell family with filenames such ashuman2.aspxand_human2.aspxmasquerading as legitimate MOVEit components.
Source: Mandiant on LEMURLOOT and observed filenames - Command and Scripting Interpreter — T1059
Rapid7’s Cleo exploitation reporting describes post-exploitation enumeration viacmdand follow-on PowerShell execution patterns consistent with interactive post-compromise activity.
Source: Rapid7 Cleo post-exploitation and loader behaviour - Exfiltration Over C2 Channel / Exfiltration to Cloud or External Infrastructure — T1041, T1567
Mandiant explicitly frames the MOVEit activity as exploitation followed by data theft, with extortion pressure via the actor’s leak site emerging after initial theft.
Source: Mandiant MOVEit timeline and extortion note
Pattern note: several incident write-ups (MOVEit in particular) emphasise that encryption is not always the immediate outcome; the data theft + extortion business model can be “complete” without broad endpoint ransomware deployment.
3.2 Exploitation status (in-the-wild) and PoC considerations
- Confirmed in-the-wild exploitation: MOVEit (CVE-2023-34362) — public advisories and incident reporting describe exploitation as active and widespread from late May 2023.
Sources: Progress MOVEit advisory, Mandiant MOVEit exploitation, CISA advisory page - Credible in-the-wild exploitation reporting: Cleo (CVE-2024-50623 / CVE-2024-55956) — vendor advisories plus incident-driven reporting with technical indicators and observed infrastructure.
Sources: Cleo CVE-2024-50623 advisory, Cleo CVE-2024-55956 update, Rapid7 Cleo exploitation reporting
4. Impact Assessment
4.1 Severity and scope
From a defender’s perspective, Cl0p’s most damaging characteristic is scalable victim acquisition: compromising an MFT platform can enable theft of large document sets (including PII/PHI, payroll, financial and contractual records) and trigger downstream breach notifications across supply chains.
For vulnerability-specific severity, rely on the authoritative CVSS scoring and vectors:
- MOVEit: NVD (CVE-2023-34362)
- Cleo: NVD (CVE-2024-50623), NVD (CVE-2024-55956)
For patch triage beyond CVSS, incorporate current EPSS (probability-of-exploitation) from FIRST’s public EPSS programme into your prioritisation workflow (scores move over time; treat EPSS as “time-sensitive”).
Source: FIRST EPSS overview
4.2 Victim profile
Observed victim profiles cluster around organisations that:
- operate internet-facing MFT services, and/or
- act as data intermediaries (payroll processors, HR platforms, financial service providers, managed service providers, supply-chain integrators).
In the MOVEit incident, UK guidance explicitly focused on third-party exposure and response actions because many organisations were impacted through suppliers rather than direct compromise.
Source: NCSC MOVEit guidance
5. Indicators of Compromise (IOCs)
5.1 IOC table (campaign-linked, publicly sourced)
The table below contains published indicators from reputable incident reporting. It is not exhaustive; treat it as a starting point for triage and threat hunting, and always scope indicators to the relevant product/campaign window.
| Type | Value | Context / Notes | Source |
|---|---|---|---|
| Web shell filename | human2.aspx | Mandiant observed LEMURLOOT web shell samples using this filename in MOVEit exploitation. | Mandiant MOVEit technical details |
| Web shell filename | _human2.aspx | Additional LEMURLOOT filename variant observed by Mandiant. | Mandiant MOVEit technical details |
| File path (Windows) | C:\MOVEitTransfer\wwwroot\ | Expel advises hunting for new/unauthorised files in this MOVEit web root directory during response. | Expel MOVEit response guidance |
| File extension / artefact | .cmdline | Expel notes .cmdline script files as artefacts to locate and remove; also highlights creation under Windows TEMP subdirectories. | Expel MOVEit response guidance |
| File path pattern (Windows) | C:\Windows\TEMP\[random]\*.cmdline | Location pattern highlighted for .cmdline artefacts associated with MOVEit incident response activities. | Expel MOVEit response guidance |
| Netblock / scanning source (MOVEit) | 5.252.188.0/22 | Mandiant reports scanning/exploitation frequently sourced from this range (interaction and second-stage activity may differ). | Mandiant MOVEit infrastructure observations |
| IP address | 92.118.36.112 | Kroll observed this IP in connection with malicious MOVEit activity (historical testing/operation timeline in their reporting). | Kroll MOVEit/Cl0p IP analysis |
| IP address | 45.129.137.232 | Kroll observed this IP targeting MOVEit servers (historic activity noted in their analysis). | Kroll MOVEit/Cl0p IP analysis |
| IP address | 45.182.189.102 | Rapid7 reports this as a Cobalt Strike server used in the Cleo exploitation chain they analysed. | Rapid7 Cleo campaign IOCs |
| URL path | /dpixel | Rapid7 cites this path as a payload location on 45.182.189.102 in Cleo incidents they investigated. | Rapid7 Cleo campaign IOCs |
| IP address | 89.248.172.139 | Network IOC published by Rapid7 in their Cleo exploitation reporting. | Rapid7 Cleo campaign IOCs |
| IP address | 176.123.10.115 | Network IOC published by Rapid7 in their Cleo exploitation reporting. | Rapid7 Cleo campaign IOCs |
| IP address | 185.162.128.133 | Network IOC published by Rapid7 in their Cleo exploitation reporting. | Rapid7 Cleo campaign IOCs |
| IP address | 185.163.204.137 | Network IOC published by Rapid7 in their Cleo exploitation reporting. | Rapid7 Cleo campaign IOCs |
| IP address | 185.181.230.103 | Network IOC published by Rapid7 in their Cleo exploitation reporting. | Rapid7 Cleo campaign IOCs |
5.2 Detection guidance (practical hunting aligned to published behaviours)
MOVEit-focused hunting (CVE-2023-34362 era)
File system and web root integrity checks
- Hunt for
human2.aspx/_human2.aspxand any newly created ASPX files underC:\MOVEitTransfer\wwwroot\(or your customised MOVEit install paths).
Sources: Mandiant on LEMURLOOT filenames, Expel on web root triage
Artefact sweeps for .cmdline
- Identify
.cmdlinefile creation events, particularly underC:\Windows\TEMP\subdirectories, and correlate timestamps with suspicious web requests and outbound data transfer spikes.
Source: Expel on.cmdlineartefacts and locations
Network telemetry
- Monitor for inbound exploitation attempts to MOVEit endpoints and outbound connections consistent with rapid follow-on exfiltration; incorporate Mandiant’s noted scanning netblock as a pivot (do not treat as exclusive).
Source: Mandiant infrastructure observations
Cleo-focused hunting (CVE-2024-50623 / CVE-2024-55956 era)
Rapid7-published network indicators
- Alert on any egress connections to Rapid7’s published IOC IPs (listed above) and particularly traffic to
45.182.189.102and the/dpixelpath described as a payload location.
Source: Rapid7 Cleo campaign IOCs
Post-exploitation behaviour baselining
- Rapid7 describes enumeration commands (e.g.,
systeminfo,whoami,net group /domain,nltest /domain_trusts) executed viacmdand a PowerShell chain consistent with loader behaviour. Use EDR/Sysmon to hunt for unusual parent/child chains spawningcmd.exeandpowershell.exeon Cleo hosts, especially where the host is not typically used for interactive administration.
Source: Rapid7 Cleo post-exploitation behaviour
6. Incident Response Guidance
6.1 Containment, eradication, recovery
- Remove external exposure first: temporarily restrict or block inbound access to affected MFT services until patch level and integrity are validated. This is repeatedly recommended across incident response guidance for mass exploitation events where speed matters more than service continuity in the first hours.
Source: Expel MOVEit immediate response steps - Patch and validate: apply vendor remediations and verify they are correctly applied (version drift, rollback, and partial patching are common failure modes in emergency response).
Sources: Progress MOVEit advisory, Cleo CVE-2024-55956 update - Assume credential exposure: rotate service accounts, API keys, and storage credentials used by the MFT platform (including cloud storage keys where integrated), reflecting Expel’s guidance for MOVEit responders.
Source: Expel MOVEit credential rotation guidance - Eradicate web shells and artefacts: remove confirmed malicious files (
human2.aspx,.cmdline, and any other unauthorised web root artefacts) and validate no persistence remains.
Sources: Mandiant LEMURLOOT details, Expel file artefact guidance
6.2 Forensic artefacts to collect
- Web server logs (access/error), application audit logs, database logs for the MFT platform.
- File integrity baselines and timeline (MFT install directories, web roots, Windows TEMP patterns).
- EDR telemetry for process ancestry and outbound connections from MFT hosts (especially around exploitation windows).
6.3 Lessons learned
- Treat MFT as a high-risk enterprise concentration point: enforce strict exposure controls, rapid patch SLAs, and “break-glass” response playbooks.
- Operationalise third-party breach intake: Cl0p-style events can appear first as a supplier notification rather than internal detection (highlighted in UK guidance during MOVEit).
Source: NCSC MOVEit guidance
7. Threat Intelligence Contextualisation
7.1 Similar incidents and lineage
Mandiant explicitly situates MOVEit within a broader pattern of exploiting file transfer appliances for data theft and extortion, noting earlier exploitation of Accellion FTA and later exploitation of GoAnywhere MFT. This supports an assessment that the actor prioritises repeatable, high-leverage compromise paths over bespoke per-victim intrusion.
Source: Mandiant historical comparison in MOVEit reporting
7.2 Full MITRE ATT&CK mapping (observed in public reporting)
| Tactic | Technique ID | Technique Name | Observed behaviour (public reporting) |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Exploitation of MFT vulnerabilities (MOVEit, Cleo). |
| Persistence | T1505.003 | Web Shell | LEMURLOOT web shell deployed with human2.aspx / _human2.aspx filenames in MOVEit. |
| Execution | T1059 | Command and Scripting Interpreter | Rapid7-described Cleo post-exploitation uses cmd enumeration and PowerShell loader patterns. |
| Discovery | T1082 | System Information Discovery | systeminfo and related enumeration as described by Rapid7. |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Data theft following web shell deployment and exploitation (MOVEit) per Mandiant. |
| Impact | T1486 | Data Encrypted for Impact | “Ransomware” branding persists, but reporting emphasises extortion via theft/leak even without broad encryption in some campaigns. |
Sources: Mandiant MOVEit technical write-up, Rapid7 Cleo exploitation reporting
8. Mitigation Recommendations
8.1 Actionable hardening steps
- Reduce attack surface: remove direct internet exposure for MFT admin and file transfer interfaces where possible; enforce VPN/IP allowlisting and MFA for administrative access.
- Instrument web roots: file integrity monitoring (FIM) on MFT application directories and web roots; alert on new script files and unusual modifications.
- Constrain egress: restrict outbound connectivity from MFT hosts to only required destinations (particularly important where exfiltration is the monetisation path).
8.2 Patch management advice (CVSS + EPSS-driven)
- Use NVD CVSS as the baseline severity input and combine it with current EPSS from FIRST to prioritise patching for internet-facing systems and high-value data brokers.
Sources: NVD CVE-2023-34362, NVD CVE-2024-50623, NVD CVE-2024-55956, FIRST EPSS programme - Where patching is delayed, adopt interim compensating controls immediately: disable or restrict HTTP/HTTPS exposure, increase logging retention, and implement WAF rules/virtual patching where vendor guidance supports it (without assuming it fully mitigates zero-day exploitation).
9. Historical Context & Related Vulnerabilities
Cl0p-associated operations show continuity in targeting file transfer ecosystems over multiple years, with Mandiant explicitly referencing prior exploitation of Accellion FTA (2020–2021) and GoAnywhere MFT (2023) as part of the same extortion-oriented pattern.
Source: Mandiant MOVEit report (historical comparisons)
10. Future Outlook
Cl0p’s demonstrated preference for high-leverage enterprise middleware suggests continued focus on:
- internet-facing “data hubs” (MFT, SSO-adjacent services, integration middleware),
- rapid exploitation of newly disclosed vulnerabilities and patch gaps,
- extortion pressure via public victim listing and data publication threats (particularly when encryption is unnecessary for leverage).
Given the recurring MFT theme, defenders should assume that new MFT vulnerabilities will be operationalised quickly and that exploitation may be automated at scale, compressing the window between disclosure and compromise.
11. Further Reading
Government / National cyber guidance
- CISA #StopRansomware advisory page for Cl0p / MOVEit (AA23-158A)
- NCSC guidance on MOVEit vulnerability and incident response
CTI / Incident reporting
- Mandiant: Zero-day exploitation of MOVEit for data theft (with attribution update)
- Rapid7: Cleo exploitation campaign with IOCs and post-exploitation detail
- Expel: MOVEit exploitation response actions and artefact hunting guidance
Threat actor / cluster context