TA505
TA505 is a financially motivated cybercrime threat actor associated in the provided content with large-scale malware delivery campaigns and with the Cl0p/Clop ransomware and extortion operation. Known aliases in the content include TA505, Cl0p/Clop, Graceful Spider, Gold Tahoe, Hive0065, Monty Spider, Spandex Tempest, and Chimborazo. The content also includes Cl0p-branded variants such as Cl0p ransomware gang, Cl0p extortion gang, Cl0p ransomware operation, and related naming variants. The content links TA505 to phishing and malspam campaigns that used lures to get users to enable content in malicious attachments and execute files from archives. Observed delivery methods include malicious Microsoft Office and Publisher attachments with macros, PDF lures, direct URLs, malicious Excel 4.0 macros, and later Bit.ly-linked landing pages serving malicious Excel files. TA505 is associated in the content with the Get2 downloader, ServHelper backdoor, FlawedGrace RAT, FlawedAmmyy RAT, SDBbot, Snatch, Azorult, and Cobalt Strike. The content states that TA505 staged malware on actor-controlled domains and used HTTP for command-and-control. In one ServHelper campaign, the malware collected host and workgroup or domain information, sent it to C2, executed commands including "net group /domain," used PowerShell for reconnaissance, and established persistence via a Run key. ServHelper variants described in the content supported shell execution, downloading additional malware, self-deletion, reverse SSH tunneling for RDP access, browser-profile hijacking, and additional loader functionality. The content also notes TA505 decrypted packed DLLs with an XOR key. Targeting described in the content includes financial institutions, retail businesses, restaurants, and broader multi-sector campaigns across multiple countries. One analysis assessed the operators as especially interested in domain-joined machines and suggested financial organizations as likely targets. The content also ties TA505 to the Cl0p ransomware/extortion operation, including exploitation of MOVEit software and the Cleo zero-day vulnerability CVE-2024-55956 from late 2024 into H1 2025. The content states TA505 (CL0P) exploited the Cleo vulnerability to target a large number of companies and that Cl0p took credit for widespread exploitation of MOVEit instances. Cl0p activity described in the content includes posting victims on its leak site, setting deadlines for MOVEit victims to contact the group, using apparent "name and shame" pressure tactics, and removing some organizations from the leak site after negotiations or presumed payment. S2W ranked TA505 among the top five highest-risk ransomware groups in H1 2025.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
55 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
46 malware families attributed to this actor across reporting.
41 additional families tracked in Mallory.
Associated vulnerabilities
13 CVEs this actor has used in observed campaigns. 13 of them exploited in the wild.
Attackers can seize control of Oracle E-Business Suite environments without authentication, leveraging a critical flaw in the Concurrent Processing (BI Publisher Integration) component. This vulnerability, tracked as CVE-2025-61882, exposes thousands of enterprises to remote compromise via a single HTTP request.
MOVEit customers found themselves the victim of an actively exploited zero-day vulnerability, since tracked as CVE-2023-34362. Following the initial discovery, the criminal entity typically referred to as cl0p took credit for the widespread exploitation of MOVEit instances.
In late January 2023, the CL0P ransomware group launched a campaign using a zero-day vulnerability, now catalogued as CVE-2023-0669, to target the GoAnywhere MFT platform.
TA505 (Clop) is one of the oldest groups, active since 2019... It has been exploiting the Cleo zero-day vulnerability (CVE-2024–55956) since late 2024, which makes it the most active of all groups in the first half of 2025.
In the months prior, Oracle issued emergency patches for E-Business Suite vulnerabilities (CVE-2025-61882, CVE-2025-61884) after active exploitation by groups such as Cl0p.
8 more CVEs tied to this actor tracked in Mallory.
Observables
373 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Compromised MSG through a third-party Oracle E-Business Suite application tied to payroll and HR, exfiltrated business records, and published archived data after the company declined to pay.
Referenced as one of the ransomware groups dominating the current threat landscape and as ranking behind INC in Q1 2026 incidents.
Referenced as a ransomware group whose mass Cleo exploitation campaign inflated Q1 2025 victim counts.
Previously conducted a data theft extortion campaign after exploiting a zero-day in Oracle E-Business Suite affecting dozens of victims.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.