The Clop ransomware group continues to pose a significant threat to enterprise organizations worldwide, with recent analysis revealing their exploitation of a critical zero-day vulnerability in Oracle E-Business Suite.
Operating since early 2019, Clop has established itself as one of the most prolific and sophisticated ransomware gangs, amassing a victim count exceeding 1,025 organizations and extorting over $500 million since its inception.
The group, believed to be a variant of the CryptoMix ransomware that emerged in 2016, strategically avoids targeting Commonwealth of Independent States (CIS) countries, with suspected origins tracing back to Russia.
The nomenclature “Clop” derives from the distinctive file extension (.cl0p) appended to encrypted files following successful attacks, which also translates to “bedbugs” in Russian.
What distinguishes this threat actor from its contemporaries is the consistent exploitation of cutting-edge zero-day vulnerabilities, a capability that underscores the group’s technical sophistication and intelligence-gathering operations.
Oracle EBS Zero-Day Exploitation
Recent threat intelligence analysis has uncovered a critical zero-day vulnerability in Oracle E-Business Suite, initially identified in June 2025, with Oracle officially releasing indicators of compromise (IOCs) in October 2025.
CVE-2025-61882, classified as a critical vulnerability, enables attackers to compromise integrated enterprise resource planning systems responsible for order management, procurement, and logistics operations across affected organizations.
The investigation began with two outbound IP addresses shared by Oracle: 185.181.60.11 (ASN: AS56655, Gigahost) and 200.107.207.26 (ASN: AS273045, DATAHOME S.A). Further reconnaissance using internet scanners including Shodan and FOFA identified a network fingerprint associated with the El Salvadorian IP that correlated with 96 additional IP addresses.
Geographical analysis revealed Germany leading with 16 IPs, followed by Brazil with 13 IPs and Panama with 12 IPs.
Notably, Russia appeared at the bottom of the list with only three IPs, indicating a deliberate infrastructure diversification strategy as organizations increasingly block Russian autonomous system numbers (ASNs).
Historical MOVit Campaign
A significant breakthrough emerged during deep-dive analysis when researchers cross-referenced the current exploit infrastructure against historical IOCs documented in CISA’s official reports regarding the 2023 MOVit vulnerability exploitation.
Specifically, 41 of the 96 identified subnet IPs were previously utilized during the MOVit campaign (CVE-2023-34362), establishing a high-confidence connection between present and past Clop operations.
The overlapping subnet analysis revealed that Clop maintains persistent infrastructure patterns across multiple exploitation campaigns spanning from January 2023 to present operations.
By combining data from both the MOVit exploit cluster and the subsequent Fortra GoAnywhere command injection vulnerability (CVE-2023-0669), researchers identified 37 high-confidence IP addresses demonstrating exact matches across both 2023 incidents.
Notably, 59.5 percent of these IPs geolocate to the United States, with 13.5 percent in Canada and 8.1 percent in the Netherlands.
SSL certificate fingerprint analysis proved instrumental in establishing infrastructure continuity.
The fingerprint “bd613b3be57f18c3bceb0aaf86a28ad8b6df7f9bccacf58044f1068d1787f8a5” associated with the Oracle EBS exploitation matched fingerprints previously documented during 2023 MOVit operations, directly connecting current attacks to historical campaigns.
Subnet analysis across multiple fingerprints revealed that 77.8 percent of identified subnets demonstrated reuse patterns, with the 5.188.86/24 subnet appearing 14 times across multiple exploitation incidents.
These findings underscore Clop’s reliance on persistent infrastructure despite heightened detection efforts, suggesting the group maintains operational continuity through deliberately compartmentalized network segments while progressively shifting geographic distribution to evade regional blocking measures.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.