Clop Ransomware Actors Exploiting the Latest 0-Day Exploits in the Wild

Cl0p, a prominent ransomware group operating since early 2019, has emerged as one of the most dangerous threats in the cybersecurity landscape.

With over 1,025 confirmed victims and more than $500 million in extorted funds, this Russian-linked group has consistently targeted corporate and private networks worldwide while strategically avoiding CIS countries.

The group earned its name from the “.cl0p” file extension it appends after encryption, though the term also translates to “bedbugs” in Russian, reflecting its persistent nature in compromising systems.

The ransomware group’s latest campaign showcases a sophisticated approach to zero-day exploitation, particularly leveraging CVE-2025-61882, a critical vulnerability discovered in Oracle E-Business Suite.

This ERP application, widely used for order management, procurement, and logistics functions across enterprises globally, presents an attractive target for threat actors seeking rapid network penetration and data exfiltration.

The vulnerability was initially observed in June 2025 but has become increasingly active in recent months.

THE RAVEN FILE analysts noted that the exploitation infrastructure demonstrates a significant technical breakthrough.

Upon investigating the initial indicators of compromise shared by Oracle in October 2025, researchers discovered two outbound IP addresses directly associated with active attacks.

Through detailed fingerprint analysis and scanning with tools like Shodan and FOFA, analysts uncovered 96 distinct IP addresses sharing identical SSL certificate fingerprints with the initial attack infrastructure.

This clustering revealed the group’s operational patterns and network preferences across multiple geographic regions.

Infrastructure Reuse and Network Analysis: A Critical Pattern

The most striking technical discovery involves Clop’s deliberate infrastructure reuse strategy. Researchers identified that 41 subnet IPs from the current Oracle EBS exploitation were previously utilized during the 2023 MOVit vulnerability attacks (CVE-2023-34362).

This pattern indicates the group maintains persistent hosting relationships and rotates infrastructure strategically rather than building entirely new networks between campaigns.

Analysis of the 96 identified IPs shows geographic distribution patterns, with Germany leading at 16 addresses, followed by Brazil (13) and Panama (12).

However, the underlying ASN infrastructure reveals concentrated use of Russian-based providers, despite geographic diversification efforts designed to evade traditional IP-based blocking strategies.

Further investigation uncovered that Clop employs sophisticated sub-netting techniques, with 77.8 percent of identified subnets showing repeated usage across multiple attack campaigns.

The hosting entity analysis revealed Alviva Holdings Limited as a primary infrastructure provider, hosting 15 identified addresses.

This consistent reuse pattern provides defenders with valuable intelligence for threat hunting and network monitoring.

The combination of zero-day exploitation capability, persistent infrastructure reuse, and geographic sophistication demonstrates why Cl0p remains among the most effective ransomware operations currently active in the threat landscape.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.