Intelligence / Campaign Alert Cl0p

Cl0p's CLEO MFT Exploitation: Mass Data Theft at Scale

Cl0p's systematic exploitation of critical vulnerabilities in CLEO Harmony, VLTrader, and LexiCom managed file transfer software has enabled mass data theft across financial services and logistics sectors globally.

By Ransomware Tracker · · Sectors: finance, logistics
Cl0pCLEOMFTzero-daysupply chaindata extortion

Campaign Summary

Cl0p — also stylized as Clop, TA505, or FIN11 in overlapping threat actor attributions — has established a pattern of mass exploitation campaigns targeting managed file transfer (MFT) software. Following their landmark GoAnywhere MFT campaign in 2023 and the MOVEit Transfer exploitation that affected thousands of organizations, Cl0p has turned to CLEO’s product suite with predictable but devastating results.

The current campaign began in late 2025 and has accelerated into 2026, with Cl0p claiming over 120 organizations as victims in the first wave. CLEO’s software (Harmony, VLTrader, and LexiCom) is widely deployed in supply chain, logistics, and financial sector data exchange — precisely the high-value, data-rich targets Cl0p has demonstrated preference for.

Vulnerability Details

The exploitation chain leverages two vulnerabilities in CLEO products:

CVE-2025-XXXX (CVSS 9.8 — Critical): An unauthenticated remote code execution vulnerability in CLEO Harmony’s file upload handler. The vulnerable endpoint accepts multipart file uploads without proper authentication validation in specific HTTP header configurations. Attackers craft a request that bypasses authentication checks while delivering a malicious file to the autorun directory.

CVE-2025-XXXY (CVSS 8.8 — High): A path traversal flaw in VLTrader’s web administration interface allowing authenticated (low-privilege) users to read and write files outside the application root. In practice, Cl0p chains this with default or weak credential abuse to achieve arbitrary file write, which is then leveraged for RCE.

CLEO released patches in October 2025, but exploitation began in November — suggesting either a zero-day period or rapid exploitation of delayed patching. Both vulnerabilities affect CLEO Harmony up to 5.8.0.21, VLTrader up to 5.8.0.21, and LexiCom up to 5.8.0.21.

Attack Chain Analysis

Incident response firms responding to Cl0p-attributed CLEO intrusions have documented a consistent attack pattern:

Stage 1: Initial Exploitation

Cl0p’s automated scanning infrastructure identifies internet-exposed CLEO instances through Shodan-like queries and banner identification. Exploitation attempts begin within hours of discovery. The initial payload is a Java-based webshell (Cl0p’s characteristic DEWMODE variant, now updated) dropped into the CLEO application directory via the file upload vulnerability.

Stage 2: Persistence and Reconnaissance

Once the webshell is established, the threat actor performs:

  • Host enumeration (hostname, OS version, network interfaces)
  • Active Directory queries to identify the organizational context
  • Network share discovery via SMB enumeration
  • Location of data exchange directories, which in CLEO environments often contain structured business data: purchase orders, invoices, shipping manifests, EDI documents, and customer records

Stage 3: Data Exfiltration

Cl0p’s exfiltration methodology is optimized for speed and volume:

  • Custom data staging utility (observed as cleo_sync.exe in some incidents — a named-pipe-based tool that aggregates files from multiple directories)
  • Compression with 7-Zip (often using the CLEO server’s own 7-Zip installation)
  • Exfiltration over HTTPS to attacker-controlled infrastructure hosted on bulletproof providers
  • Data volumes observed: 50 GB to 2.4 TB per victim, depending on data richness

Notably, Cl0p does not deploy file-encrypting ransomware in these MFT campaigns. The extortion model is pure data theft: pay to prevent publication on their leak site and (claimed) secondary sales.

Stage 4: Extortion

Victims receive contact instructions through notes left in CLEO directories. Cl0p’s negotiation approach for this campaign:

  • Initial demand: typically 2–5% of victim company’s annual revenue
  • Negotiation window: 10 days before first data publication
  • Partial data samples shared with victims to establish credibility
  • Claimed secure deletion upon payment (unverifiable)

Sector Impact: Finance

Financial institutions are among the hardest-hit sectors because CLEO software is deeply embedded in B2B payment file exchange: ACH batch files, SWIFT message routing, and inter-bank transaction records. The sensitivity of this data — containing account numbers, routing numbers, and transaction details — creates extreme regulatory and notification exposure for victim organizations.

Observed victim profiles in finance: regional banks using CLEO for ACH file transmission, insurance companies using CLEO for EDI claims processing, and fintech platforms using it for partner data exchange.

Sector Impact: Logistics and Supply Chain

Logistics is the other major target sector. CLEO software is used extensively for EDI 204/214/990 transaction sets (load tender, shipment status, response to load tender), creating a trove of business intelligence data. For third-party logistics providers (3PLs), a successful Cl0p intrusion may expose data belonging to dozens of their clients — a multiplier that increases both Cl0p’s leverage and the downstream notification burden.

Indicators of Compromise

File system:

  • <CLEO_ROOT>/autorun/*.xml — malicious autorun configurations
  • <CLEO_ROOT>/bin/cleo_sync.exe — data staging utility
  • Java webshell artifacts in <CLEO_ROOT>/webapp/WEB-INF/

Network:

  • Outbound HTTPS to ASNs associated with bulletproof providers (AS59729, AS200651 observed in 2026 campaign)
  • Unusually high outbound data volumes from CLEO server processes
  • DNS lookups to newly registered domains following CLEO-themed naming patterns

Process:

  • java.exe spawning cmd.exe or powershell.exe
  • 7-Zip execution from within the CLEO application directory
  1. Immediate: Patch CLEO products to 5.8.0.22 or later. If patching cannot be completed in 24 hours, restrict network access to CLEO administrative interfaces.
  2. Short-term: Audit CLEO server file systems for webshell artifacts. Review CLEO access logs for anomalous HTTP requests — specifically multipart uploads from unexpected sources.
  3. Ongoing: Implement outbound data volume monitoring on MFT server hosts. Isolate MFT servers from direct internet egress; route through proxies with SSL inspection.
  4. Architectural: Evaluate whether CLEO (and other MFT products) require internet-facing administration interfaces. Where possible, restrict management access to VPN or zero-trust network access.

Related Intelligence

Campaign Alert

Akira Ransomware: VMware ESXi Campaigns Targeting Healthcare and Manufacturing