Illustration: JMiks | Shutterstock
Clop ransomware has confirmed that it is behind a recent wave of data theft attacks targeting Cleo, a company specialising in secure file transfer solutions. The attacks exploited a critical zero-day vulnerability (CVE-2024-50623), reigniting concerns about the persistent threat posed by ransomware groups.
First confirmed by BleepingComputer, Cleo develops platforms like Cleo Harmony, VL Trader, and LexiCom, which are used by businesses to exchange sensitive files securely. In October, the company addressed a vulnerability that enabled unrestricted file uploads and downloads, potentially leading to remote code execution.
However, cybersecurity experts later discovered the initial patch was incomplete, leaving systems vulnerable to exploitation.
Threat actors exploited this flaw to upload a Java-based backdoor. This backdoor enabled the attackers to exfiltrate data, execute malicious commands, and deepen their access to compromised networks.
The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the vulnerability.
Initially, speculation pointed to a new ransomware gang, Termite, as the perpetrator. However, further analysis revealed the methods aligned closely with Clop’s previous attacks. The gang confirmed their involvement, stating they exploited both the original CVE-2024-50623 vulnerability and its incomplete fix identified by Huntress.

In a surprising move, Clop announced the deletion of data linked to past attacks from their leak site. “Due to recent events (attacks of CLEO), all links to data of all companies will be disabled, and data will be permanently deleted from servers. We will work only with new companies,” reads a message on Clop’s extortion platform, CL0P^_- LEAKS.
The gang concluded their announcement with an ominous “Happy New Year,” signalling their continued activity.
Clop, also known as TA505, has developed a reputation for exploiting vulnerabilities in secure file transfer systems. Since its emergence in 2019, the gang has refined its tactics, often targeting zero-day vulnerabilities in widely used enterprise platforms.
For instance, in 2020, Clop exploited a zero-day in Accellion’s FTA platform, affecting nearly 100 organisations. Similarly, in 2021, the group leveraged a flaw in SolarWinds’ Serv-U FTP software for data breaches.
Their most significant breach to date involved exploiting a zero-day in the MOVEit Transfer platform, affecting 2,773 organisations.
In the News: Over 58,000 Byte Federal users exposed in Bitcoin ATM attack