Clip, Clop!

supply chain attacks

Clip, Clop! Taking a look at one of the most sophisticated attackers to watch for this year
͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     
Forwarded this email? Subscribe here for more
Clip, Clop! 
Taking a look at one of the most sophisticated attackers to watch for this year
Austin Miller
Jan 16 

READ IN APP

Clop is a well‑known cybercrime group that has operated since at least 2019. The group, sometimes spelled “Cl0p” and is characterised by highly organised ransomware and extortion operations that target large organisations globally. Clop does not rely solely on traditional encryption of victim systems. Instead, it often focuses on data theft and extortion.
In some campaigns, the group steals sensitive information from victims and then threatens to publish it unless a ransom is paid. Over the years, Clop’s operations have generated extensive illicit revenue by combining ransom demands with reputational and compliance pressures on victims. The group has been linked to multiple high‑profile breaches, using phishing campaigns, malware loaders, and advanced lateral movement techniques to infiltrate corporate networks.
In 2023, security agencies and independent researchers documented Clop exploiting a zero‑day vulnerability in the MOVEit Transfer software, which affected many organisations worldwide and resulted in significant data theft. This campaign highlighted Clop’s shift toward supply chain attacks, where exploiting a widely‑used enterprise product can yield a large number of victims from a single breach.
Clop’s methods are technically sophisticated. The group commonly uses large‑scale phishing to deliver initial access tools that then install backdoors such as Cobalt Strike beacons. These backdoors allow the attackers to perform reconnaissance, move laterally within the network, and exfiltrate data. Clop then uses “double extortion” techniques, threatening to release stolen information publicly if the ransom is not paid. In recent years, Clop has also been associated with the use of different malware families such as TrueBot for initial access. Its transition to attacking complex platforms and enterprise resource planning systems reflects an evolution in threat actor behaviour, aiming for high impact and larger ransom demands.
Going to the Big Leagues
In 2025, Clop’s actions drew particular attention because of an exploit targeting Oracle’s E‑Business Suite (EBS) software. EBS is enterprise software used by many organisations for tasks such as financial management, human resources, and supply chain operations. In mid‑2025, a critical zero‑day vulnerability, tracked as CVE‑2025‑61882, was actively exploited before a patch was released. A zero‑day vulnerability is one that is unknown to the software vendor and has no available patch at the time of exploitation.
This flaw scored 9.8 out of 10 on the Common Vulnerability Scoring System, indicating that it could be exploited remotely without authentication. Attackers used this flaw to gain unauthorised access to Oracle EBS environments, perform remote code execution, and extract sensitive data from victim networks. Oracle eventually released an emergency security patch after evidence of exploitation emerged and industry researchers began reporting extortion campaigns targeting organisations running vulnerable EBS systems.
Situating the Attack
Following the discovery and patch release, security researchers from groups such as Google’s Threat Intelligence Group and Mandiant found that the activity likely started well before public disclosure. Organisations began receiving extortion emails claiming that Clop had stolen sensitive Oracle EBS data. These emails were sent from compromised third‑party accounts to executives at various companies, adding credibility to the ransom demands. Some reports suggest that the attacker started exploiting the vulnerability as early as July 2025, but widespread ransom demands did not begin until September. Independent researchers also observed that the group named dozens of alleged victims on its data leak site, and more may not yet be identified because tracking and confirmation of such incidents can lag behind when breaches occur.
Both public reporting and multiple security advisories associated with this campaign have indicated that the number of affected organisations may have exceeded one hundred. High‑profile victims reported in the press include universities, airlines, and infrastructure companies. Reports suggest that compromised data in some cases included sensitive personal and corporate information. For example, the University of Phoenix disclosed that approximately 3.5 million records were stolen as part of a Clop‑linked Oracle breach. In other cases, organisations such as Envoy Air acknowledged less severe compromises affecting business information. Additional large enterprises and government services have also been linked, although exact details vary by source and many organisations have not publicly disclosed the full extent of compromise or impact.
Highly Skilled, Concerning for Many
One notable aspect of the Oracle‑focused campaign was how Clop structured the extortion. Instead of encrypting systems immediately, the group waited until after data theft to begin mass extortion emails. These emails often used compromised email accounts from unrelated organisations to bypass spam filters and boost credibility. Researchers noted that the campaign’s strategy demonstrated a blending of supply chain compromise, credential reuse, and social engineering, which complicates straightforward defensive measures. The tactics highlighted how attackers are increasingly targeting widely deployed enterprise products because such platforms provide access to sensitive data for many organisations at once.
In response to the ongoing situation, Oracle made several public statements and issued multiple patches. Initially, the company suggested that at least some of the exploited vulnerabilities were already patched in earlier updates and that organisations failing to apply existing patches were at risk. As the situation evolved and evidence mounted connecting exploitation to CVE‑2025‑61882, Oracle revised its advisories to emphasise the critical nature of the vulnerability and the importance of applying the newest fixes urgently. Despite patches becoming available, a primary challenge remains ensuring that all customers apply updates promptly because many enterprise systems are complex and patching can be slow in highly regulated or production‑critical environments.
Yeah, but What About Me?
The implications of the Oracle EBS hack extend beyond individual victims. This campaign reinforced the reality that threat actors increasingly focus on enterprise supply chain software rather than individual endpoints. By exploiting a zero‑day vulnerability in a widely installed suite like Oracle EBS, attackers can maximise impact and leverage stolen data for high‑value extortion. This pattern has shifted how security professionals assess risk, prioritising continuous monitoring, accelerated patching cycles, and improved incident response readiness for critical infrastructure and ERP systems. Analysts have also called for increased transparency from vendors about vulnerabilities and faster coordinated disclosure processes to reduce the window of opportunity for attackers.
In terms of future expectations, multiple trends are likely to shape how threat actors like Clop evolve and how defenders respond. First, ransomware groups may continue to invest in hunting or developing zero‑day exploits for widely used enterprise software. Successful exploitation of such vulnerabilities enables mass data extraction from many victims in a single campaign, increasing the potential ransom pool. Second, defenders can expect threat actors to refine tactics that integrate credential theft and social engineering with technical exploits, as seen in the Oracle campaign. Using legitimate compromised accounts to send extortion emails reduces the likelihood that messages are blocked or flagged by automated defenses.
Setting Up to Survive
A key defensive focus will likely involve better patch management and software supply chain risk assessments. Organisations increasingly need to inventory and rapidly patch third‑party enterprise applications that are accessible over the internet because these products are frequent targets for remote exploitation. Vendors like Oracle and others are under pressure to shorten the time between vulnerability discovery and patch a