**Clop Ransomware Gang Targets Gladinet CentreStack File Servers in Data Theft Attacks**
The Clop ransomware gang, also known as Cl0p, has launched a new data theft extortion campaign targeting Internet-exposed Gladinet CentreStack file servers. The CentreStack platform enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN.
Gladinet CentreStack is used by thousands of businesses from over 49 countries, according to the company's own estimates. Since April, Gladinet has released security updates to address several other security flaws that were exploited in attacks, some of them as zero-days. However, it appears that Clop has now discovered a new vulnerability or flaw in CentreStack servers that is allowing them to gain unauthorized access and exfiltrate sensitive data.
Curated Intelligence, a threat intel group, has been tracking the campaign and reports that ransom notes are being left on compromised servers by the Clop gang. However, there is currently no information available on the vulnerability or flaw that Clop is exploiting to hack into CentreStack servers. It's unclear whether this is a zero-day flaw or a previously addressed bug that the owners of the hacked systems have yet to patch.
Incident responders from Curated Intelligence have encountered at least 200 unique IP addresses running the "CentreStack - Login" HTTP title, making them potential targets of Clop. The gang's history of targeting secure file transfer products is well-documented, with previous campaigns involving Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer file-sharing servers.
Most recently, Clop exploited an Oracle EBS zero-day flaw (CVE-2025-61882) to steal sensitive files from many organizations since early August 2025. The list of impacted organizations includes Harvard University, The Washington Post, GlobalLogic, the University of Pennsylvania, Logitech, and Envoy Air, an American Airlines subsidiary.
After breaching their systems and exfiltrating sensitive documents, Clop publishes the stolen data on its dark web leak site and makes it available for download via Torrent. The U.S. Department of State is offering a $10 million reward for any information that could link this cybercrime gang's attacks to a foreign government.
A Gladinet spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
**Related Stories**
* **Dartmouth College confirms data breach after Clop extortion attack**: Dartmouth College has confirmed that it suffered a data breach as part of a Clop ransomware gang's extortion campaign. * **Barts Health NHS discloses data breach after Oracle zero-day hack**: Barts Health NHS has disclosed a data breach linked to an Oracle zero-day flaw (CVE-2025-61882) exploited by the Clop ransomware gang. * **University of Phoenix discloses data breach after Oracle hack**: The University of Phoenix has disclosed a data breach linked to an Oracle zero-day flaw (CVE-2025-61882) exploited by the Clop ransomware gang. * **University of Pennsylvania confirms new data breach after Oracle hack**: The University of Pennsylvania has confirmed that it suffered a new data breach as part of a Clop ransomware gang's extortion campaign.
**Breaking Down IAM Silos: A Guide to Scalable Identity and Access Management**
The traditional approach to identity and access management (IAM) is no longer sufficient for modern businesses. Breaking down IAM silos requires a comprehensive strategy that encompasses the entire organization. Our practical guide covers why traditional IAM practices fail, examples of effective IAM strategies, and a simple checklist for building a scalable IAM framework.
Read our guide to learn how to break down IAM silos like Bitpanda, KnowBe4, and PathAI and create a more secure and efficient identity management system for your organization.