TA505

TA505 is a financially motivated cybercrime threat actor active since at least 2014. The content links TA505 with aliases and related tracking names including Cl0p/Clop, FIN11, Hive0065, Lace Tempest, DEV-0950, Graceful Spider, Gold Tahoe, Monty Spider, Spandex Tempest, and Chimborazo. The reporting also states that FIN11 is part of the larger TA505 group. The actor has historically conducted malicious spam and spear-phishing campaigns and has delivered malware including Dridex, TrickBot, Locky, Clop/Cryptomix, MINEBRIDGE, FlawedGrace, and SDBbot. IBM X-Force linked Hive0065/TA505 to enterprise intrusions using phishing emails impersonating Onehub and HR representatives, malicious Word documents with VBA macros, spoofed cloud-storage infrastructure, custom DLL droppers with Cobalt Strike-like code, Meterpreter components, and SDBbot as a second-stage RAT. SDBbot is described as supporting remote command execution, video recording, data exfiltration, and delivery of additional payloads. The content states TA505 has carried out targeted attacks across North America, Asia, Africa, and South America. Reported targets over time include industries such as finance, retail, and restaurants, and some COVID-19-themed campaigns targeted healthcare organizations. More recent reporting ties the actor’s Clop-branded operations to mass data-theft and extortion campaigns against organizations using managed file transfer products. Tradecraft directly mentioned in the content includes use of cmd.exe and JavaScript for execution; PowerShell to download and execute malware and reconnaissance scripts; password-protected malicious Word documents; credential theft from Internet Explorer, FTP clients, and Outlook; malware to disable Windows Defender; and use of tools including AdFind, BloodHound, Mimikatz, PowerSploit, and PingCastle. In observed intrusions, operators escalated privileges, compromised domain admin accounts, moved laterally, established persistence via registry Run keys and scheduled task abuse, and used spoofed domains and cloud-hosted malware delivery. The content repeatedly associates TA505/Clop with ransomware and extortion operations. Clop is described as a ransomware operation whose favored malware emerged in 2019 and which began operations in March 2019 using a CryptoMix variant. Reporting states that since 2020 Clop has specialized in exploiting previously unknown vulnerabilities in secure file transfer platforms for large-scale data theft and delayed extortion, often emphasizing pure extortion over encryption. The content specifically links Clop/TA505 to exploitation of Accellion FTA in 2020, SolarWinds Serv-U CVE-2021-35211 in 2021, GoAnywhere MFT in 2023, MOVEit Transfer CVE-2023-34362 in 2023, Oracle EBS-related activity in 2025, and Cleo Harmony/VLTrader/LexiCom vulnerabilities CVE-2024-50623 and CVE-2024-55956. In these campaigns, the actor used webshells or backdoors to enumerate and steal files, extract credentials or Azure Blob storage secrets, and extort victims via the Clop leak site. The content also notes Clop’s use of double-extortion and extortion-only models, with Cisco Talos stating Clop primarily focused on extortion through data theft rather than encryption and was one of the few ransomware actors exploiting zero-day vulnerabilities. Additional reporting in the content describes use of Cobalt Strike via PowerShell, abuse of the RegIdleBackup scheduled task to load FlawedGrace RAT, and broad opportunistic exploitation of exposed MOVEit systems affecting hundreds of organizations.