ShellCodeX
Tools β€’ Events β€’ News β€’ Insights
Threat Group Profile

clop

Dormant / historical
Victim claims 2
First seen May 2026
Last activity 01 May 2026
Tracked since β€”

Group overview

The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final payload in a phishing campaign in 2019 and was exclusively financially motivated, with attacks carried out by the threat actors TA505. At that time, malicious actors sent phishing emails that led to a macro-enabled document that would drop a loader called 'Get2.' After gaining an initial foothold in the system or infrastructure, the actors began using reconnaissance, lateral movement, and exfiltration techniques to prepare for the deployment of the ransomware. After the execution of the ransomware, Cl0p appends the extension '.clop' to the end of files, or other types of extensions such as '.CIIp, .Cllp, and .C_L_O_P,' as well as different versions of the ransom note that were also observed after encryption. Depending on the variant, any of the ransom text files were created with names like 'ClopReadMe.txt, README_README.txt, Cl0pReadMe.txt, and READ_ME_!!!.TXT.' The Clop operation has shifted from delivering its final payload via phishing and has begun initiating attacks using vulnerabilities that resulted in the exploitation and infection of victims' infrastructures.Source: https://github.com/crocodyli/ThreatActors-TTPs

Preferred targets

Business Services Β· 1 Healthcare Β· 1

Most targeted countries

US Β· 2

Tactics & techniques (MITRE ATT&CK)

Initial Access

Valid accounts Exploit public-facing application Phishing: Spear-phishing attachment

Execution

Command and scripting interpreter Native API User execution

Persistence

Create or modify system process: Windows service Boot or logon autostart execution

Privilege Escalation

Exploitation for privilege escalation Domain Policy modification: Group Policy modification Hijack execution flow

Defense Evasion

Masquerading: invalid code signature Process injection: DLL injection Indicator removal on host: clear Windows event logs Indicator removal on host: file deletion Deobfuscate/Decode files or information Indirect command execution Impair defenses: disable or modify tools

Discovery

Query registry Remote system discovery Process discovery Security software discovery System information discovery File and directory discovery

Lateral Movement

Remote services: SMB/Windows admin shares Lateral tool transfer

Collection

Data from local system

Victim Claims Timeline

Back to radar
INJURYLAWYERS.COM
πŸ‡ΊπŸ‡Έ US Business Services INJURYLAWYERS.COM
INTEGRALIFE.COM
πŸ‡ΊπŸ‡Έ US Healthcare INTEGRALIFE.COM