Listen to this Post
Introduction: A Familiar Ransomware Playbook Returns
The Clop ransomware group, also known as Cl0p, has once again resurfaced with a focused and highly strategic cyber extortion campaign. This time, the group is targeting Internet-exposed Gladinet CentreStack file servers, a platform widely used by organizations to enable secure file sharing without relying on traditional VPN infrastructure. The campaign highlights a growing pattern in Clop’s operations: exploiting trusted enterprise file transfer and collaboration platforms to exfiltrate sensitive data and pressure victims into paying ransoms. As investigations continue, the uncertainty around the exploited vulnerability adds urgency to the threat facing unpatched and exposed systems worldwide.
Overview of the New CentreStack Attacks
The Clop ransomware gang has launched a fresh wave of attacks aimed at Gladinet CentreStack servers that are directly exposed to the Internet. These systems are being compromised as part of a data theft extortion campaign, where attackers steal sensitive files and then demand payment under the threat of public disclosure.
What Is Gladinet CentreStack
Gladinet CentreStack is a file-sharing and collaboration solution designed for businesses that want to provide secure access to on-premises file servers. It allows employees to access files through web browsers, mobile applications, and mapped network drives, eliminating the need for VPN connections while maintaining centralized data control.
CentreStack’s Global Adoption
According to Gladinet, CentreStack is used by thousands of businesses across more than 49 countries. This broad adoption makes it an attractive target for cybercriminals seeking high-impact campaigns with the potential to compromise large volumes of sensitive corporate data.
A History of Security Fixes
Since April, Gladinet has released multiple security updates addressing several vulnerabilities in CentreStack. Some of these flaws were reportedly exploited in real-world attacks, including zero-day vulnerabilities, underscoring the platform’s recent exposure to active threat activity.
Evidence of Active Exploitation
Threat intelligence firm Curated Intelligence has confirmed that Clop operators are actively scanning for and breaching Internet-facing CentreStack servers. According to their findings, ransom notes have been discovered on compromised systems, indicating successful intrusions and data theft.
The Mystery Vulnerability
At present, there is no public information identifying the specific vulnerability Clop is exploiting. It remains unclear whether the attackers are leveraging a previously patched flaw that some organizations failed to update, or an entirely new zero-day vulnerability that has not yet been disclosed.
Warning From Threat Intelligence Experts
Curated Intelligence issued a public warning stating that incident responders have encountered a new Clop extortion campaign targeting CentreStack servers. Their analysis of recent port scan data suggests that more than 200 unique IP addresses are running CentreStack login pages and could be potential targets.
Internet Exposure as the Key Risk
The attacks specifically focus on CentreStack servers exposed directly to the Internet. This exposure significantly increases risk, especially when combined with delayed patching or misconfigured security controls.
Clop’s Longstanding Focus on File Transfer Platforms
Clop is not new to targeting secure file transfer and collaboration tools. The group has built a reputation for systematically exploiting widely deployed enterprise platforms that sit at the center of organizational data flows.
Previous High-Profile Campaigns
In past campaigns, Clop has successfully targeted Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer servers. The MOVEit campaign alone impacted more than 2,770 organizations worldwide, making it one of the largest mass data theft incidents in recent years.
Oracle EBS Zero-Day Exploitation
Most recently, Clop exploited a zero-day vulnerability in Oracle E-Business Suite, tracked as CVE-2025-61882. This attack began in early August 2025 and allowed the group to steal sensitive data from numerous high-profile organizations.
Notable Victims of Oracle Attacks
Organizations reportedly affected by the Oracle EBS campaign include Harvard University, The Washington Post, GlobalLogic, the University of Pennsylvania, Logitech, and Envoy Air, a subsidiary of American Airlines.
Data Exfiltration and Public Leaks
After breaching systems, Clop typically exfiltrates large volumes of sensitive data. The stolen files are then published on the group’s dark web leak site and made available for download, often via torrent links, increasing pressure on victims to comply with ransom demands.
Law Enforcement Attention Intensifies
The scale and impact of Clop’s operations have drawn significant attention from U.S. authorities. The U.S. Department of State has announced a reward of up to $10 million for information that could link Clop’s cybercrime activities to a foreign government.
Silence From the Vendor
As of the latest reports, a spokesperson from Gladinet was not immediately available to comment on the ongoing attacks, leaving customers and security teams with limited official guidance.
What Undercode Say:
A Calculated Return to Proven Tactics
Clop’s targeting of CentreStack fits perfectly into its long-established operational model. Rather than deploying traditional ransomware that encrypts systems, the group focuses on pure data theft extortion, which reduces operational complexity while maximizing leverage over victims.
File Servers as High-Value Targets
Enterprise file-sharing platforms are ideal targets because they aggregate sensitive data from across an organization. A single successful compromise can yield intellectual property, financial records, employee data, and confidential communications in one strike.
Internet Exposure Is the Weakest Link
The recurring theme in Clop’s campaigns is Internet exposure. Systems designed for convenience and remote access often sacrifice security hardening, especially when administrators assume vendors will handle most of the protection.
Zero-Day or Patch Gap
The uncertainty around whether Clop is exploiting a zero-day or an unpatched known vulnerability is itself alarming. In both cases, organizations face serious challenges: either no patch exists yet, or patch management processes have failed.
Scanning at Scale
The identification of over 200 Internet-exposed CentreStack servers suggests automated scanning and targeting. This indicates the campaign is likely to grow quickly unless defensive measures are taken.
Ransomware Without Encryption
Clop’s strategy avoids file encryption entirely, focusing instead on data theft and public shaming. This approach bypasses many traditional ransomware defenses that focus on detecting encryption behavior.
Vendor Trust as an Attack Surface
Organizations often place deep trust in enterprise software vendors. When vulnerabilities emerge in these platforms, attackers exploit not just technical flaws, but also the assumption that such tools are inherently secure.
Regulatory and Legal Fallout
Data theft incidents increasingly trigger regulatory scrutiny, legal action, and reputational damage. For many organizations, these secondary impacts are more costly than the ransom itself.
Lessons From MOVEit and Oracle
The MOVEit and Oracle campaigns should have served as a warning. Clop clearly demonstrates patience, technical skill, and the ability to repeatedly exploit systemic weaknesses across industries.
Defensive Priorities Going Forward
Organizations using CentreStack or similar platforms should prioritize reducing Internet exposure, enforcing rapid patch cycles, and monitoring for unusual access patterns. Assuming obscurity or low attacker interest is no longer viable.
Fact Checker Results
Verification of Claims
The reported targeting of Gladinet CentreStack by Clop aligns with statements from Curated Intelligence. ✅
Clop’s history of exploiting file transfer platforms is well-documented and consistent with past incidents. ✅
The exact vulnerability used in the CentreStack attacks remains unconfirmed at this time. ❌
Prediction
Likely Expansion of the Campaign 🔍
Clop is expected to scale this campaign rapidly as long as exposed CentreStack servers remain online.
Additional victims will likely emerge across multiple countries due to CentreStack’s global user base 🌍.
If a zero-day is confirmed, similar platforms may soon become secondary targets as attackers adapt 🚨.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
