Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
Financially Motivated6 malware familiesExploits CVEs in the wild

Lace Tempest

Also known asDEV-0950Lace Tempest

Lace Tempest is a financially motivated threat actor tracked by Microsoft as DEV-0950 and associated with the Cl0p ransomware ecosystem. Microsoft states its activity overlaps with FIN11 and TA505, and the group is described as a Cl0p ransomware affiliate. The actor has been linked to data theft and extortion activity, including operation of or association with the Clop extortion site, and is also identified as a notable ransomware affiliate. Based on the provided content, Lace Tempest has repeatedly exploited high-profile enterprise software vulnerabilities for initial access and persistence. In April 2023, Microsoft linked the group to exploitation of PaperCut MF/NG vulnerabilities, including CVE-2023-27351, beginning around April 13, 2023. In those intrusions, Lace Tempest used the vulnerabilities for initial access, deployed TrueBot, then used Cobalt Strike for lateral movement and MegaSync for data theft; some PaperCut intrusions also resulted in Cl0p and LockBit ransomware deployment. The group was also attributed with the MOVEit Transfer zero-day campaign involving CVE-2023-34362, where Microsoft linked the attacks to Lace Tempest and the broader Cl0p data-theft and extortion operation. Related reporting in the content notes deployment of the human2.aspx webshell during MOVEit exploitation for persistence and exfiltration. The actor was also linked to exploitation of SysAid on-premise software zero-day CVE-2023-47246. In that activity, DEV-0950/Lace Tempest uploaded a webshell and additional payloads into the SysAid Tomcat webroot, gaining unauthorized access and control. Microsoft further observed Lace Tempest attacking SysAid servers from October 27, 2023, issuing commands via the SysAid software to deliver a malware loader. The content also states that Lace Tempest exploited PaperCut vulnerabilities to deploy webshells for persistent access. Additional context in the content ties Lace Tempest to ransomware and extortion operations affecting hospitals, and notes that Gracewire is typically affiliated with Lace Tempest; Microsoft also states Sangria Tempest has cooperated with Lace Tempest in past intrusions. Known aliases directly supported by the content are DEV-0950 and Lace Tempest.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

17 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics25 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1078
Valid Accounts
T1133
External Remote Services
T1190×8
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
TA0003
Persistence
3 techniques
T1078
Valid Accounts
T1133
External Remote Services
T1505
Server Software Component
T1505.003×4
Web Shell
TA0004
Privilege Escalation
3 techniques
T1068
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1548
Abuse Elevation Control Mechanism
T1548.002
Bypass User Account Control
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0006
Credential Access
1 technique
T1649
Steal or Forge Authentication Certificates
TA0009
Collection
2 techniques
T1074
Data Staged
T1213×4
Data from Information Repositories
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1105
Ingress Tool Transfer
TA0010
Exfiltration
2 techniques
T1041
Exfiltration Over C2 Channel
T1567×3
Exfiltration Over Web Service
T1567.002×2
Exfiltration to Cloud Storage
TA0040
Impact
2 techniques
T1486×2
Data Encrypted for Impact
T1657×2
Financial Theft
ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ClopMicrosoft has linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations.8May 26, 2026
LockBitThe vulnerability was attributed to Lace Tempest, a Cl0p ransomware affiliate, in April 2023, used in campaigns delivering Cl0p and LockBit ransomware payloads.2Apr 21, 2026
Cobalt StrikeUltimately, Microsoft says a Cobalt Strike beacon was deployed and used to spread laterally through the network while stealing data...1Mar 18, 2026
LemurlootAttackers have exploited the SQLi vulnerability to deploy a custom ASP.NET web shell (LEMURLOOT) to achieve persistence on victim networks to allow for further attack.1Mar 18, 2026
Lizar...deploy the Lizar post-exploitation tool on compromised devices. This allowed the threat actors to gain a foothold within the targeted network and move laterally to deploy Clop ransomware...1Mar 18, 2026

1 additional family tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.

CVE-2023-34362SQL Injection in Progress MOVEit TransferIn the wildEvidence5

June 2 The actively exploited vulnerability was assigned CVE-2023-34362 with a severity rating of 9.8 out of 10.

CVE-2023-27351Authentication Bypass in PaperCut NG/MF SecurityRequestFilterIn the wildEvidence3

CVE-2023-27351 — PaperCut NG/MF | Improper Authentication | CVSS 8.2 An improper authentication flaw in PaperCut NG/MF that allows attackers to bypass authentication via the SecurityRequestFilter class. This is not a new discovery — exploitation has been confirmed in the wild since early 2023. The vulnerability was attributed to Lace Tempest, a Cl0p ransomware affiliate, in April 2023, used in campaigns delivering Cl0p and LockBit ransomware payloads.

CVE-2023-27350Unauthenticated Authentication Bypass and RCE in PaperCut MF/NGIn the wildEvidence1

Two vulnerabilities were fixed in the PaperCut Application Server that allows remote attackers to perform unauthenticated remote code execution and information disclosure: CVE-2023–27350 ... Unauthenticated remote code execution flaw impacting all PaperCut MF or NG versions 8.0 or later... PaperCut disclosed that these flaws were actively exploited in the wild... A PoC exploit for the RCE flaw was released... Microsoft ... attributed the recent PaperCut attacks to the Clop and LockBit ransomware operations.

CVE-2023-47246SysAid On-Prem Path Traversal Leading to Code ExecutionIn the wildEvidence1

A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
thecyberexpress com vulnerabilitiesNews
Apr 21, 2026
CISA Adds 8 Flaws To KEV Catalog, Cisco Catalyst Included

Linked to exploitation of CVE-2023-27351 to deploy Cl0p and LockBit ransomware.

Read more
cyberthroneNews
Apr 21, 2026
CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog - TheCyberThrone

Attributed with exploiting CVE-2023-27351 in PaperCut NG/MF in campaigns delivering Cl0p and LockBit ransomware payloads.

Read more
recordedfutureNews
Jul 28, 2025
Why Patch Management Isn’t Enough: SharePoint, Webshells & the Modern Threat Landscape

Referenced as a ransomware group that deployed webshells for persistent access via PaperCut MF/NG vulnerabilities.

Read more
the hacker newsNews
Oct 24, 2024
New Qilin.B Ransomware Variant Emerges with Improved Encryption and Evasion Tactics

Named ransomware gang reported (by Microsoft data context) as known for targeting hospitals/healthcare organizations.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping17

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs4

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.

Lace Tempest | Mallory