**CLOP Targets Gladinet CentreStack Servers in Large-Scale Extortion Campaign**

The Clop ransomware group has launched a new large-scale extortion campaign, targeting Internet-facing Gladinet CentreStack file servers worldwide. Experts from threat intel firm Curated Intelligence have reported the new CLOP extortion campaign, warning that over 200 IPs with the "CentreStack – Login" HTTP title may be at risk from an unknown CVE (n-day or zero-day) exploited by the group.

Gladinet CentreStack is a software platform that allows organizations to turn their existing file servers, NAS devices, or cloud storage into secure, enterprise-grade private cloud storage. It provides a bridge between traditional on-premises file storage and cloud-like access features. The platform's popularity has made it an attractive target for cybercriminals, with the Clop ransomware group exploiting vulnerabilities in CentreStack to steal sensitive data from organizations worldwide.

According to Curated Intelligence, the CLOP extortion campaign is similar to previous data extortion campaigns conducted by the group. The threat actors are known for targeting file transfer servers such as Oracle EBS, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, and GoAnywhere.

In October, Huntress researchers reported that threat actors were exploiting the local File Inclusion (LFI) flaw CVE-2025-11371 in Gladinet CentreStack and Triofox. A local user can exploit the issue to access system files without authentication. Both solutions are used to manage corporate files securely while supporting remote work and collaboration.

Experts have warned that the issue has yet to be patched, despite the existence of mitigations. Huntress reported that at least three customers have been targeted so far, with the company recommending a workaround for the actively exploited CVE-2025-11371 flaw. The cybersecurity firm suggests disabling the temp handler in UploadDownloadProxy’s Web.config to block exploitation of the vulnerability, although some platform functionality will be affected.

Removing the line highlighted above will mitigate the vulnerability present until such time as a patch can be applied," concludes the report. In early December, Barts Health NHS confirmed that Clop ransomware group stole data by exploiting zero-day CVE-2025-61882 in its Oracle E-Business Suite. The cybercrime group added the organization to its dark web data leak site and leaked the stolen information.

The Clop ransomware gang has been also exploiting the critical Oracle EBS zero-day CVE-2025-61882 since early August, stealing sensitive data from numerous organizations worldwide, including Envoy Air, Harvard University, Washington Post, Logitech, University of Pennsylvania, and University of Phoenix. The Clop ransomware group first appeared on the threat landscape around February 2019, emerging from the TA505 cybercrime group, a financially motivated gang active since at least 2014.

Clop (aka Cl0p) is a prolific Russian-speaking ransomware-as-a-service group specializing in big-game hunting and double-extortion. The group's operators and affiliates identify high-value targets, steal sensitive data, encrypt networks, then publish stolen files on data-leak sites to pressure victims into paying.

The Clop ransomware group has conducted major campaigns targeting numerous organizations worldwide, including Shell, British Airways, Bombardier, University of Colorado, PwC, and the BBC. The group's sophisticated evasion and lateral-movement techniques have maximized its impact and monetization.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for more updates on cybersecurity threats and trends.