Blog | Scenario

Clop – Ransomware by TA505

ByDetecteam 2023-06-222023-06-23

TLP

TLP CLEAR

Author

Jordi Lobo

Summary

Clop ransomware is a variant of a previously known strain called CryptoMix. In 2019, Clop was delivered as the final payload of a phishing campaign associated with the financially motivated actor TA505. In 2020, Clop has evolved from a ransomware delivered through malicious spam to one being used in targeted campaigns against high-profile companies. Clop appends the .clop extension to the victim’s files. We have observed different variants using different extensions, such as .CIIp, .Cllp and .C_L_O_P. This ransomware includes various features to avoid detection. Observed Clop samples try to kill several processes and services related to backups and security solutions.

DATA

cslogs-1 Download

TIMELINE

references

MITRE ATT&CK

Blog

Scattered Spider: Detection Engineering Dilemma
BySebastien Tricaud 2025-08-182025-08-18

Scattered Spider is a rapidly emerging threat. As a native English-speaking group, it has quickly become a versatile adversary—ranging from data exfiltration to ransomware deployment. It is referenced in numerous analyses, including but not limited to those by CISA, ReliaQuest, AttackIQ, Unit 42, and Google Cloud. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320ahttps://reliaquest.com/blog/scattered-spider-attack-analysis-account-compromisehttps://www.attackiq.com/2025/05/29/emulating-scattered-spiderhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloudhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applicationshttps://www.tidalcyber.com/blog/scattered-spider-evolving-resilient-group-proves-need-for-constant-defender-vigilance Known Scattered Spider aliases are: 0ktapus, oktapus, UNC3944,…

Read More Scattered Spider: Detection Engineering Dilemma
Blog | Scenario

WebDav-O
ByDetecteam 2023-11-222023-11-22

TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary In 2022, a targeted cyberattack employing the WebDav-O malware was identified against a Russian government agency. This malicious activity, linked to the CoughingDown group, spanned back to 2018 and targeted government entities in Belarus. The campaign involved the discovery of multiple WebDav-O variants, with observed…

Read More WebDav-O
Blog | Scenario

Barracuda ESG Zero-Day Vulnerability
ByDetecteam 2023-09-062023-09-06

TLP TLP TLP CLEAR Author David Deflache Summary In May 2023, Barracuda disclosed a zero-day vulnerability (CVE-2023-2868) exploited by UNC4841, a suspected Chinese espionage actor. UNC4841 targeted Barracuda Email Security Gateways (ESG) since October 2022, using malicious email attachments. They deployed code families (SALTWATER, SEASPY, SEASIDE) to infiltrate and maintain control, often disguising as legitimate…

Read More Barracuda ESG Zero-Day Vulnerability
Blog | Scenario

F5 Server Audit
ByDetecteam 2023-11-092023-11-09

TLP TLP TLP CLEAR Author Sebastien Tricaud Summary This week, we share data from an actively exploited attack from the CISA Known Exploited Vulnerabilities Catalog. This is the /var/log/audit.log file from the F5 boxes which were compromised. A critical security advisory, CVE-2023-46747, reveals an unauthenticated remote code execution vulnerability in the BIG-IP Configuration utility. This…

Read More F5 Server Audit
Blog | Scenario

Adobe Coldfusion Exploitation (CVE-2023-29298) data
ByDetecteam 2023-07-182023-07-18

TLP TLP TLP CLEAR Authors Sebastien Tricaud Summary Active Exploitation of Adobe Coldfusion CVE-2023-29298. We are providing data to help teams quickly detect and react to this ongoing threat. DATA TIMELINE CATEGORY Exploit references https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/

Read More Adobe Coldfusion Exploitation (CVE-2023-29298) data
Blog | Scenario

Detect SSH login after social engineering
ByDetecteam 2023-09-212023-09-21

TLP TLP TLP CLEAR Author David DEFLACHE Summary MGM Resorts recently fell victim to a cyberattack orchestrated by a group called Scattered Spider, who employed vishing (voice phishing) techniques to gain access to the company’s systems. The attackers, believed to be in their late teens and early 20s and fluent in English, impersonated an employee…

Read More Detect SSH login after social engineering

TLP