Clop Ransomware Actors Exploiting The Latest 0-day Exploits In The...

Cl0p, a prominent ransomware group operating since early 2019, has emerged as one of the most dangerous threats in the cybersecurity landscape.

With over 1,025 confirmed victims and more than $500 million in extorted funds, this Russian-linked group has consistently targeted corporate and private networks worldwide while strategically avoiding CIS countries.

The group earned its name from the “.cl0p” file extension it appends after encryption, though the term also translates to “bedbugs” in Russian, reflecting its persistent nature in compromising systems.

The ransomware group’s latest campaign showcases a sophisticated approach to zero-day exploitation, particularly leveraging CVE-2025-61882, a critical vulnerability discovered in Oracle E-Business Suite.

This ERP application, widely used for order management, procurement, and logistics functions across enterprises globally, presents an attractive target for threat actors seeking rapid network penetration and data exfiltration.

The vulnerability was initially observed in June 2025 but has become increasingly active in recent months.

THE RAVEN FILE analysts noted that the exploitation infrastructure demonstrates a significant technical breakthrough.

Upon investigating the initial indicators of compromise shared by Oracle in October 2025, researchers discovered two outbound IP addresses directly associated with active attacks.

Through detailed fingerprint analysis and scanning with tools like Shodan and FOFA, analysts uncovered 96 distinct IP addresses sharing identical SSL certificate fingerprints with the initial attack infrastructure.

This clustering revealed the group’s operational patterns and network preferences across multiple geographic regions.