The Clop ransomware group continues to be a major threat to global enterprises, recently exploiting a critical zero-day vulnerability in Oracle E-Business Suite. Since its inception in 2019, Clop has become one of the most prolific ransomware gangs, affecting over 1,025 organizations and extorting more than $500 million. Originating as a variant of the CryptoMix ransomware, Clop avoids targeting Commonwealth of Independent States (CIS) countries, with suspected roots in Russia. The group’s name, “Clop,” refers to the distinctive file extension (.cl0p) used in their attacks, which translates to “bedbugs” in Russian.
What sets Clop apart is its ability to exploit cutting-edge zero-day vulnerabilities, highlighting its technical sophistication. Recent analyses identified a critical zero-day vulnerability in Oracle E-Business Suite, first detected in June 2025, with Oracle releasing indicators of compromise (IOCs) in October 2025. The vulnerability, CVE-2025-61882, allows attackers to compromise enterprise resource planning systems.
The investigation revealed two key IP addresses shared by Oracle, leading to the identification of 96 additional IPs. Germany had the highest number of these IPs, followed by Brazil and Panama, with Russia at the bottom, indicating Clop’s strategy to diversify its infrastructure.
A breakthrough came when researchers linked the current exploit infrastructure to the 2023 MOVit vulnerability exploitation. Forty-one of the identified IPs were used during the MOVit campaign, showing Clop’s persistent infrastructure patterns. Further analysis connected current attacks to past campaigns through matching SSL certificate fingerprints and subnet reuse.
These findings highlight Clop’s reliance on persistent infrastructure and its strategy to evade regional blocking measures while maintaining operational continuity.
