The Clop ransomware group, also known as Cl0p, has launched a new extortion campaign aimed at Gladinet CentreStack file servers that are exposed to the internet.
Gladinet CentreStack is a file-sharing solution that allows organizations to securely access and share files stored on on-premises servers through web browsers, mobile applications, and mapped drives—without the need for a VPN. According to Gladinet, CentreStack “is used by thousands of businesses from over 49 countries.”
Since April, Gladinet has issued multiple security patches to fix several vulnerabilities that were actively exploited in attacks, including some zero-day flaws.
Threat actors linked to the Clop cybercrime operation are now actively scanning for CentreStack servers accessible online and breaching vulnerable systems. Curated Intelligence confirmed to BleepingComputer that attackers are leaving ransom notes on compromised servers.
At present, the exact vulnerability being used in these intrusions remains unknown. It is unclear whether Clop is exploiting a previously undisclosed zero-day flaw or taking advantage of an older vulnerability that has not yet been patched by affected organizations.
“Incident Responders from the Curated Intelligence community have encountered a new CLOP extortion campaign targeting Internet-facing CentreStack file servers,” warned threat intel group Curated Intelligence on Thursday.
“From recent port scan data, there appears to be at least 200+ unique IPs running the "CentreStack - Login" HTTP Title, making them potential targets of CLOP who is exploiting an unknown CVE (n-day or zero-day) in these systems.”
Clop has repeatedly targeted secure file transfer and file-sharing platforms as part of its extortion operations. The group has previously been responsible for high-profile breaches involving Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer servers. The MOVEit campaign alone impacted more than 2,770 organizations globally.
More recently, Clop exploited an Oracle E-Business Suite zero-day vulnerability, tracked as CVE-2025-61882, to steal sensitive data from numerous organizations beginning in early August 2025.
Affected Oracle customers reportedly include Harvard University, The Washington Post, GlobalLogic, the University of Pennsylvania, Logitech, and Envoy Air, a subsidiary of American Airlines.
Following successful intrusions, the group exfiltrates confidential data and publishes it on its dark web leak site, often distributing the stolen files via Torrent downloads.
The U.S. Department of State has announced a reward of up to $10 million for information that could help attribute Clop’s cybercrime activities to a foreign government.
A spokesperson for Gladinet was not immediately available to comment when contacted by BleepingComputer earlier today.
