Perceptive Security
SOC/SIEM Consultancy
Clop ransomware targets Gladinet CentreStack in data theft attacks
Published:
18 December 2025 at 20:16:55
Alert date:
18 December 2025 at 21:01:36
Source:
bleepingcomputer.com
Ransomware & Malware, Data Breach & Exfiltration, Enterprise Applications, Zero-Day Vulnerabilities
The Clop ransomware gang is conducting a new data theft extortion campaign targeting Internet-exposed Gladinet CentreStack file servers. This represents an active threat where the ransomware group is exploiting vulnerabilities in file sharing infrastructure to steal data for extortion purposes. Organizations using Gladinet CentreStack should immediately secure their systems and check for signs of compromise.
Technical details
The Clop ransomware gang is targeting Internet-exposed Gladinet CentreStack file servers in data theft extortion campaigns. They are exploiting an unknown vulnerability (potentially zero-day or unpatched) to breach CentreStack servers and leave ransom notes on compromised systems. There are at least 200+ unique IPs running CentreStack systems that could be potential targets. Clop follows a pattern of targeting secure file transfer products and after breaching systems, they exfiltrate sensitive documents and publish them on dark web leak sites, making data available for download via Torrent.
Mitigation steps:
Organizations using Gladinet CentreStack should ensure their systems are not exposed to the Internet unnecessarily and apply all available security updates. Since April, Gladinet has released security updates to address several security flaws, so patching is critical. Monitor for unusual activity on CentreStack servers and implement proper network segmentation.
Affected products:
Gladinet CentreStack
Accellion FTA
GoAnywhere MFT
Cleo
MOVEit Transfer
Oracle EBS
Related links:
https://www.bleepingcomputer.com/tag/gladinet-centrestack/
https://www.bleepingcomputer.com/news/security/hackers-exploit-gladinet-centrestack-cryptographic-flaw-in-rce-attacks/
https://www.bleepingcomputer.com/news/security/hackers-exploiting-zero-day-in-gladinet-file-sharing-software/
https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/
http://www.linkedin.com/posts/curatedintelligence_psa-incident-responders-from-the-curated-activity-7407480091133231104-C6hv/
https://www.bleepingcomputer.com/tag/accellion/
https://www.bleepingcomputer.com/news/security/fortra-shares-findings-on-goanywhere-mft-zero-day-attacks/
https://www.bleepingcomputer.com/news/security/new-cleo-zero-day-rce-flaw-exploited-in-data-theft-attacks/
https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-and-analysis/
https://www.bleepingcomputer.com/news/security/oracle-zero-day-exploited-in-clop-data-theft-attacks-since-early-august/
https://www.bleepingcomputer.com/news/security/harvard-investigating-breach-linked-to-oracle-zero-day-exploit/
https://www.bleepingcomputer.com/news/security/washington-post-data-breach-impacts-nearly-10k-employees-contractors/
https://www.bleepingcomputer.com/news/security/globallogic-warns-10-000-employees-of-data-theft-after-oracle-breach/
https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-confirms-data-theft-after-oracle-ebs-hack/
https://www.bleepingcomputer.com/news/security/logitech-confirms-data-breach-after-clop-extortion-attack/
https://www.bleepingcomputer.com/news/security/american-airlines-subsidiary-envoy-confirms-oracle-data-theft-attack/
https://www.bleepingcomputer.com/news/security/us-govt-offers-10-million-bounty-for-info-on-clop-ransomware/
Related CVE's:
Related threat actors:
IOC's:
CentreStack - Login HTTP Title, Ransom notes left on compromised servers, Data published on Clop dark web leak site
This article was created with the assistance of AI technology by Perceptive.