Threat-actor profile

← Back to main site

Home/ Threat Actors/ Cl0p

🇷🇺Cl0p

🇷🇺 Cl0p is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: Criminal. We map 26 detection use cases to this actor across 56 MITRE ATT&CK techniques, with 2 threat-intel articles citing them. Active in our corpus from 2026-05-18 to 2026-05-27.

crit 2

View full actor card → All threat actors MITRE ATT&CK group spec (G0092) ↗

26Use cases

2Articles

56Techniques

0IOCs

Known aliases

Cl0pClopTA505FIN11GRACEFUL SPIDERHive0065Spandex TempestCHIMBORAZO

Top techniques

T1190 · Exploit Public-Facing Application T1195.002 · Compromise Software Supply Chain T1486 · Data Encrypted for Impact

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1005 · Data from Local System T1021.002 · SMB/Windows Admin Shares T1027.002 · Software Packing T1027.010 · Command Obfuscation T1027.013 · Encrypted/Encoded File T1041 · Exfiltration Over C2 Channel T1055.001 · Dynamic-link Library Injection T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.004 · Unix Shell T1059.005 · Visual Basic T1059.007 · JavaScript T1069 · Permission Groups Discovery T1071.001 · Web Protocols T1071.004 · DNS T1078.002 · Domain Accounts T1087.003 · Email Account T1098.001 · Additional Cloud Credentials T1098.005 · Device Registration T1102 · Web Service T1105 · Ingress Tool Transfer T1106 · Native API T1112 · Modify Registry T1133 · External Remote Services T1140 · Deobfuscate/Decode Files or Information T1204.001 · Malicious Link T1204.002 · Malicious File T1218 · System Binary Proxy Execution T1218.007 · Msiexec T1218.011 · Rundll32 T1505.003 · Web Shell T1528 · Steal Application Access Token T1539 · Steal Web Session Cookie T1552.001 · Credentials In Files T1553.002 · Code Signing T1553.005 · Mark-of-the-Web Bypass T1555.003 · Credentials from Web Browsers T1556.006 · Multi-Factor Authentication T1559.002 · Dynamic Data Exchange T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1566.004 · Spearphishing Voice T1567.002 · Exfiltration to Cloud Storage T1568.001 · Fast Flux DNS T1569.002 · Service Execution T1583.001 · Domains T1588.001 · Malware T1588.002 · Tool T1608.001 · Upload Malware T1685 · Disable or Modify Tools

Detection use cases (26)

Cl0p (TA505/FIN11) LEMURLOOT web shell drop on MOVEit/GoAnywhere (T1190 → T1505.003) AI · profile SΣDD Cl0p ransomware pre-encryption recovery-disable cluster (T1490) on a single host AI · profile SDD Shai-Hulud npm postinstall reads cloud credential files (~/.aws, ~/.ssh, ~/.kube, gcloud ADC) Bespoke Shai-Hulud exfiltration: node.exe POSTs to api.github.com creating public repo Bespoke Bling Libra: Entra device join immediately after vishing-driven MFA registration Bespoke Hazy Scorpius (CL0P) Oracle EBS exploitation via CVE-2025-61882 — concurrent processing spawns shell/wget Bespoke Beaconing — periodic outbound to small set of destinations Internal Asset exposure — vulnerability matches article CVE(s) Internal Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal OAuth consent / suspicious app grant Internal Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match

Threat-intel articles (2)

crit Out of the Crypt: The Evolving Cyber Extortion Economy · 2026-05-27

crit IT threat evolution in Q1 2026. Mobile statistics · 2026-05-18

Tracked indicators

CVEs (3)

CVE-2025-61882 CVE-2026-20131 CVE-2026-45321