Cl0p

Also known as: TA505, FIN11, Lace Tempest

Overview

Financially motivated group specializing in mass exploitation of file transfer appliances. Responsible for MOVEit, GoAnywhere, Accellion, and Cleo campaigns affecting thousands of organizations.

MITRE ATT&CK Coverage

Recon

Res Dev

Init Access

Execution

Persistence

Priv Esc

Def Evasion

Cred Access

Discovery

Lat Move

Collection

Exfil

Impact

5 of 14 tactics observed

Raw TTPs

Zero-Day ExploitationMass Data ExfiltrationFile Transfer TargetingExtortion without EncryptionAutomated Exploitation

Related Intelligence (3)

CRITICALRansomware

Initial Access Brokers have Shifted to High-Value Targets and Premium Pricing

Initial Access Brokers (IABs) are a key component of the cybercrime ecosystem, offering hassle-free building blocks for ransomware, data theft, and extortion. Rapid7’s analysis of H2 2025 activity across five major forums grants fresh insight into a power balance shift toward initial access sales from newer marketplaces, such as RAMP and DarkForums. Higher asking prices and more focus on high-valu

CVE-2025-61882

2d agoRapid7

HIGHData Breach

Cl0p Claims 200 New Victims from Cleo Campaign — Threatens Mass Data Release

Cl0p adds 200 organizations to its leak site from the Cleo file transfer campaign. Threatens mass data release starting April 1 if ransoms unpaid.

Cleo Harmony

4d agoBleepingComputer / Cl0p Leak Site

HIGHSupply ChainExploited

Cl0p Mass Exploits Cleo File Transfer Zero-Day — 600+ Organizations Hit

Cl0p launches fourth major file transfer campaign exploiting Cleo Harmony, VLTrader, and LexiCom zero-day. Systematic data exfiltration ongoing.

CVE-2026-27891Cleo Harmony

Mar 22, 2026Huntress / Cleo Advisory