CLOP RANSOMWARE: DISSECTING NETWORK

NOTE: This Research Investigates purely focuses on the Networks used by the Clop Ransomware Group during their infiltration at different victims. 

• INTRODUCTION
• GETTING FOOTHOLD: CVE-2025–61882 ORACLE EBS EXPLOIT
• IP ANALYSIS
• INFRASTRUCTURE RE-USAGE: MAJOR BREAKTHROUGH
• MAPPING NETWORK: EXPLOITATION INCIDENTS
• HIGH CONFIDENCE FINGERPRINTS
• SUB-NETTING: ZOMBIE NEIGHBORHOOD
• OTHER FINGERPRINT FOR ANALYSIS
• CONCLUSION
• WHAT YOU CAN DO?
• KEY TAKEAWAYS

INTRODUCTION

Cl0p, aka Clop, is a Prominent Ransomware Group that has been operating since early 2019, consistently infiltrating both corporate and private networks, extorted more than $500M since its inception. Their roots shall be traced to Russia, which excludes targeting CIS Countries. Cl0p is believed to be a variant of CryptoMix Ransomware, which dates back to 2016.

So far, they have a victim count clocking at 1,025; which makes it one of the largest and consistent Ransomware Groups out in the wild. 

The Group had been named Clop as it adds the extension “.cl0p” after encrypting the files (It also means “Bedbugs” in Russian).

They are notable in exploiting the latest 0-Day Exploits such as:

GETTING FOOTHOLD: CVE-2025–61882 ORACLE EBS EXPLOIT

The Oracle E-Business Suite 0-Day exploit was initially observed in June 2025. While checking about CVE-2025–61882, the following interesting factor was found. 

2 Potential IP Addresses (Outbound) are shared by Oracle on 4th October 2025.

NOTE: CVE-2025–61882 is a critical zero-day vulnerability in Oracle E-Business Suite (EBS), an integrated enterprise resource planning (ERP) application used for functions like order management, procurement, and logistics. Discovered and exploited in the wild, it poses a severe risk to organizations relying on EBS for core business operations.

I picked the IPs and started to run down the Rabbit Hole.

IP: 185.181.60.11 🇳🇴
ASN: AS56655
ENTITY: Gigahost

IP: 200.107.207.26 🇸🇻
ASN: AS273045
ENTITY: DATAHOME S.A.

Upon scanning, I found the following Fingerprints:-

IP: 185.181.60.11 🇳🇴
FP: 43c8923f1ed3fcac411db874e2facc611254be1def53d72638321ed57663588a

IP: 200.107.207.26 🇸🇻
FP: bd613b3be57f18c3bceb0aaf86a28ad8b6df7f9bccacf58044f1068d1787f8a5

While scanning the Fingerprint of Norwegian IP, no other IPs or networks are associated with the Fingerprint. 

However, an interesting pivot was found when I scanned for El Salvadorian IP, (FP: bd613b3be57f18c3bceb0aaf86a28ad8b6df7f9bccacf58044f1068d1787f8a5), which popped up with 96 IPs Results using Internet Scanners such as Shodan or FOFA.

The following 96 IPs are found:-

193.142.30.37
147.78.46.81
147.45.112.203
147.45.112.219
147.45.112.205
147.45.112.231
147.45.112.220
147.45.112.253
103.214.147.176
103.214.147.178
103.214.147.187
103.214.147.177
5.188.86.185
45.227.255.31
193.142.30.194
5.188.87.46
88.214.27.172
193.142.30.205
193.142.30.165
193.29.13.240
193.29.13.150
45.227.252.199
5.188.86.185
193.24.211.249
147.78.46.164
103.214.147.181
194.34.239.33
147.78.46.134
88.214.27.43
45.182.189.72
45.182.189.107
78.128.112.222
88.214.25.221
194.34.239.44
200.107.207.102
200.107.207.26
103.214.147.182
147.78.46.69
193.142.30.99
91.199.163.65
91.199.163.59
45.227.255.29
5.178.1.17
37.156.246.166
45.182.189.183
45.227.252.226
45.227.255.28
45.227.255.74
193.24.211.244
46.161.27.113
45.182.189.224
31.41.33.242
193.24.211.240
185.99.3.99
31.41.33.241
194.165.16.54
88.214.26.38
193.24.211.242
45.182.189.194
37.156.246.168
200.107.207.31
5.188.87.49
5.188.87.39
5.188.86.66
5.188.86.71
5.188.86.70
5.188.87.37
5.188.87.35
5.188.86.72
5.188.86.162
5.188.86.217
5.188.86.184
5.178.1.13
46.161.27.155
46.161.27.158
5.188.206.214
88.214.27.72
88.214.25.211
88.214.27.175
88.214.27.179
88.214.27.177
88.214.25.243
88.214.25.242
45.182.189.181
147.78.47.243
185.232.67.15
147.78.47.236
78.128.112.137
78.128.112.138
147.78.47.178
81.19.136.231
185.55.242.97
193.29.13.153
179.60.149.223
179.60.149.244
179.60.149.249

IP ANALYSIS

It is found that Germany tops the list with 16 IPs, followed by Brazil(13), Panama(12), and HongKong(6).

Here is the detailed run-down for the Geo-Location:-

Interestingly, Russia is at the bottom of the list with 3 IPs, hence a clear shift is adopted by Clop Group to move away from Russian IPs as many organizations started to block Russian ASNs. 

While checking the IP Hosting Entities, it is found that Alviva Holdoing Limited tops the list (with 15 IPs hosted) as we have already covered their shady practice in this Research article, which you can find here. 

Here is the detailed run-down for the Hosting Entities:-

While inspecting the ASN Geography, it is found that the repeated ASN counts appeared from Russia, the Netherlands and Panama. 

• RUSSIA #3
• NETHERLANDS #3
• PANAMA #3
• HONGKONG #2
• BULGARIA #2

Now, it’s evident that though the IP is geo-located to other countries, however ASN Provider is centered to Russia.

INFRASTRUCTURE RE-USAGE: MAJOR BREAKTHROUGH

Out of 96 IPs, it is found that 41 Subnet IPs have been re-used by Clop (Cl0p) Ransomware Group, which was present during MOVit Exploitation (X-checked with Official CISA Report).

The overlapped sub-netted IPs (in conjunction with MOVit Exploit) are:-

5.188.86.185
45.227.255.31
5.188.87.46
88.214.27.172
45.227.252.199
5.188.86.185
88.214.27.43
45.182.189.72
45.182.189.107
88.214.25.221
45.227.255.29
45.182.189.183
45.227.252.226
45.227.255.28
45.227.255.74
45.182.189.224
88.214.26.38
45.182.189.194
5.188.87.49
5.188.87.39
5.188.86.66
5.188.86.71
5.188.86.70
5.188.87.37
5.188.87.35
5.188.86.72
5.188.86.162
5.188.86.217
5.188.86.184
5.188.206.214
88.214.27.72
88.214.25.211
88.214.27.175
88.214.27.179
88.214.27.177
88.214.25.243
88.214.25.242
45.182.189.181
179.60.149.223
179.60.149.244
179.60.149.249

NOTE: It is crucial to note that the Threat Actors won’t re-use the flagged IP addresses which are having any malicious activities, but would use the neighbor IPs for fresh attacks. Hence, the above list is not an exact match but lies in the same subnet

In June 2023, CISA had officially released a set of IOCs related to MOVit Vulnerability exploited by Cl0p Group. 

As per this tweet from Chris, it is notable that the same Fingerprint was used by Cl0p in 2023, for MOVit Exploitation. 

NOTE: It is also notable that there are misleading Research about Clop like this where they mentioned the email addresses listed are fraudsters, but in reality, they are Clop as its present on their DLS. 

Upon pivoting with other fingerprints: “f95812cbb46f0a664a8f2200592369b105d17dfe8255054963aac4e2df53df51” its found that most of the resultant IPs overlapped with our previous result and have the same subnet with the closest range.

MAPPING NETWORK: EXPLOITATION INCIDENTS 

This section closely analyzes each set of Clop Ransomware IP Networks reported in each exploit incident.

• CASE 1: MOVit Exploit (SQLi) [CVE-2023–34362]
• Source: FBI/CISA REPORT

136 IPs are observed in this cluster of MOVit Exploit by CISA. 

CASE 2: FORTRA Go-Anywhere Exploit (Command Injection) [CVE-2023–0669]
Source: FBI/CISA REPORT

44 IPs are observed in FORTRA Go-Anywhere Exploit. 

It is found that a major set of IPs is seen in MOVit Exploit, which marks it as important. 

From the above 2 Exploit Cases, we are narrowing down to 37 IPs that have an exact match. Hence, we consider them as a High-Confidence Cl0p Network. They are:-

92.118.36.249
5.34.180.48
185.33.86.225
148.113.159.213
15.235.13.184
82.117.252.141
185.80.52.230
91.222.174.68
5.34.178.31
185.104.194.134
5.34.178.28
185.81.113.156
5.34.178.30
209.222.98.25
185.117.88.2
79.141.160.78
185.33.87.126
82.117.252.142
15.235.83.73
81.56.49.148
96.44.181.131
192.42.116.191
213.121.182.84
104.200.72.149
142.44.212.178
54.39.133.41
76.117.196.3
166.70.47.90
208.115.199.25
216.144.248.20
173.254.236.131
3.101.53.11
54.184.187.134
100.21.161.34
44.206.3.111
20.47.120.195
198.137.247.10

Analyzing the above-set IPs, it is found that 59.5% IPs are from the US, followed by Canada (13.5%) and the Netherlands (8.1%). 

In case of ASN, HZ Hosting Ltd tops the list with 19.4%, Green Floyd with 16.7% and OVH with 13.9%. 

The above set of IPs shall be considered as a High Confidence Cl0p Network, as both exploits occurred in 2023.

• May 2023: MOVIT
• January 2023: GO-ANYWHERE

From this, it is evident that Cl0p sticks to the above-mentioned IPs for both Exploits in 2023 for 5 months (latest report even sticks to this). 

However, the latest set of IPs released by Oracle (EBS 0-day Exploit) does not have any connection with the above cluster (except 200.107.207.26), which are the following (we have already seen as reference image), but the fingerprints won’t lie.

200.107.207.26
161.97.99.49
162.55.17.215
104.194.11.200

Hence, we can understand that the Threat Actor is making a transition from the usual networks.

HIGH CONFIDENCE FINGERPRINTS

From the above set of IPs, now we will pivot to Fingerprints.

Here we are going to pick High Confidence Fingerprints from the Cl0p network. For this, we shall choose the Cl0p domains found in their DLS and Ransom Notes.

The listed Cl0p Domains are :

• pubstorm.com
• pubstorm.net
• he1p-me.com
• cl-leaks.com
• he1p-center.com
• goto-pay.com
• in2pay.com

After checking 58 resolved IPs of above-listed domains, we shall dig deep into 6 IPs (after eliminating shared network IPs from AWS). 

IP: FINGERPRINT

147.45.112.231: bd613b3be57f18c3bceb0aaf86a28ad8b6df7f9bccacf58044f1068d1787f8a5
88.214.27.72:   bd613b3be57f18c3bceb0aaf86a28ad8b6df7f9bccacf58044f1068d1787f8a5

81.19.138.52:      f95812cbb46f0a664a8f2200592369b105d17dfe8255054963aac4e2df53df51
200.107.207.15/37: 6877d8531901040aedfc7dc3d9af121bf1800c66c8960a60cc3fd4c361135869
68.183.120.53:     1234387dc20796ac8142d46b173bc635339c5041e2b108ca07274a90cc512268
5.42.246.34:       aa6d071d787ea8e8d054f7a699301f732cf73552d1df09a0155a5307b43df293

Among this, FP: f95812cbb46f0a664a8f2200592369b105d17dfe8255054963aac4e2df53df51 yields about 53 IPs in which the following information can be deduced:-

They are:-

194.165.16.113
5.178.1.16
88.214.25.214
91.238.181.229
88.214.25.228
91.238.181.236
147.78.46.117
45.156.248.206
5.188.86.189
193.142.30.242
5.188.87.40
147.78.46.26
88.214.25.213
45.145.20.212
194.34.239.36
5.178.1.7
141.98.82.242
45.227.255.214
193.142.30.134
179.60.145.216
179.60.150.121
179.60.150.132
45.182.189.109
185.232.67.101
88.214.26.37
88.214.26.25
147.78.46.163
147.78.46.112
193.142.30.144
193.142.30.100
147.78.46.97
31.41.33.240
147.78.46.115
5.188.86.205
193.142.30.137
5.188.86.213
193.142.30.39
5.188.86.206
37.156.246.165
92.118.36.204
141.98.82.198
45.227.253.29
179.60.150.151
81.19.138.52
193.142.30.66
194.165.16.93
194.165.16.92
5.188.86.231
5.178.1.19
5.188.87.38
5.178.1.12
5.188.86.163
5.178.1.9

15.1% of IPs are Geo-Located to Brazil, followed by Iran (13.2%), Lebanon (11.3%), Azerbaijan (9.4%), and Panama (9.4%).

In case of ASN, Batterflyai Media ltd tops the list with 25.5%, followed by Global Layer B.V. (15.7%), Layer 7 Networks (11.8%), FlyServers (11.8%), Tribeka Web Advisors S.A (9.8%).

The rest of the 2 IPs are having a single IP Address assigned to those Fingerprints uniquely.

SUB-NETTING: MALICIOUS NEIGHBORHOOD

We already found that there are 37 IPs having an exact match with both Exploit Cases. But this won’t be enough, as Threat Actors won’t use the same Red-Flagged IPs all the time. However, they do use the same network. 

To check the subnet, we need to analyze repeated patterns. 

Here we are going to combine the clusters of 2 Fingerprints and High Confidence 37 IPs (which are found in both Exploitations). 

It is vital to note that the following IP Subnets are mostly used by Cl0p/Clop Ransomware Group in their Ransomware Attacks. 

Repeated Count | IP Subnet
==========================
    
14 | 5.188.86
12 | 193.142.30
10 | 147.78.46
7  | 45.182.189
7  | 5.178.1
7  | 5.188.87
7  | 88.214.25
6  | 103.214.147
6  | 147.45.112
6  | 88.214.27
5  | 45.227.255
4  | 193.24.211
4  | 194.165.16
3  | 147.78.47
3  | 179.60.149
3  | 179.60.150
3  | 193.29.13
3  | 194.34.239
3  | 200.107.207
3  | 31.41.33
3  | 37.156.246
3  | 46.161.27
3  | 78.128.112
3  | 88.214.26
2  | 141.98.82
2  | 185.232.67
2  | 45.227.252
2  | 5.34.178
2  | 82.117.252
2  | 91.199.163
2  | 91.238.181
2  | 92.118.36

We have seen 77.8% of Reused Subnets among the IP Subnets [144/185 got matched]

As the above fact applies to the IPs which are found with the latest Fingerprints of Cl0p, it is notable. This brings us to a common denominator as “Reused Infrastructure”, to launch attacks by Cl0p Ransomware Group. 

NOTE: Here, you need to understand that the IPs which we have discussed is strongly tied with Cl0p at one way or the other. This could be due to the adoption of any VPN by the Threat Actors which routes traffic in a common way.

The above shared subnet infrastructure could be used by other Threat Actors/Campaigns etc and should NOT be associated with Clop/Cl0p by only matching the subnet.

OTHER FINGERPRINT FOR ANALYSIS

Hereby sharing a few more Fingerprints which were associated with Cl0p with medium confidence. 

5.34.180.48: 678266acbbb36795e41a210f15e25af212a2e65f34c282cb52c023ba55e164d5
91.222.174.68: 8c614d8111aca771e32ed304b9253992c5c7c8faa5b62c9141aaca595f061df3
79.141.160.78: 2c0c80c66246d13871f05b663d42767b0e7511df9ab18c26d3504b0ae80b2045
185.33.87.126: 7b04ac63dc41d61d409b936d2fdce47c255461f0d1d5ae86a9ddecd39e964548
82.117.252.142: 5cce1b8f04cb3766b2d70738ad35c5d8b0ef1e802f193baccc5058478e9859a3
15.235.83.73: b1eff60fe6c57a5a4d1136b7d2c711d058aae6d0242ba4aa1a00c3027cbdca09

NOTE: We didn’t dive deep into the above mentioned Fingerprints as they hold less confidence attributed to Cl0p Network. Once any strong indicator is matched, include it in your Watch-List!

CONCLUSION

The exact Fingerprint used by the group in 2023 is seen in the latest Oracle EBS 0-Day exploit reveals the fact that the group still relies on the older network (along with new network adoption) for their operations. 

As the above mentioned fingerprint was previously associated with 2023 Exploits, it can be deduced that the group is relying on that network exclusively for CVE Exploitation. 

The trail of Fingerprint network signifies that the group is prominent in using the same network over the period of time. It also doesn’t mean that the same network will not be used by any others. 

We have seen traces of Royal Ransomware, ShadowSyndicate, TrueBot etc in the discussed Subnets. 

NOTE: I havn’t included the Torrent Network used by Cl0p/Clop Ransomware Group as a detailed Research is already been up by Unit42 here. 

WHAT YOU CAN DO?

1. Observe the network traffic originating from the above-mentioned Subnets
2. Create a Grey List and include these IPs for Real-Time Observation
3. Check for the unusual timings of activeness
4. Even Beaconing in a week should be observed, if its from a Repeated Network
5. IPs can’t always be blocked, hence observe the anomalies

You may find the complete IOCs on my Github Profile here. 

KEY TAKEAWAYS

1. Same Fingerprint found to be used in Oracle E-Business Suite 0-Day Exploit (Oct 2025), which have also been observed in 2023 Exploits like MOVit and GoAnywhere
2. Sudden increase of networks from Lebanon, Iran, Azerbaijan spotted
3. Batterflyai Media ltd. is a notable ASN spotted which is located to Russia
4. Even if you don’t spot Russian IPs, the IPs again might be from Russian ASNs
5. When you come across the mentioned subnet, don’t conclude it as Clop/Cl0p Ransomware, as they could be used by anyone, even for legit purposes
6. 77.8% of Reused Subnets among the IP Subnets are observed in Cl0p Attacks
7. Cl0p is expert in exploiting latest CVEs before patches

NOTE: The article is purely an Individual Research that belongs to THE RAVEN FILE and is not subjected to be used/published anywhere without the Author’s consent.

Follow me on X/Twitter for interesting DarkWeb/InfoSec Short findings! 😉