Snakefly
Snakefly is a cybercrime threat actor that runs the Cl0p ransomware and extortion operation, and is also known as TA505 and FIN11. The content describes the group as a major driver of the shift toward encryptionless extortion, increasingly relying on large-scale data theft and leak threats rather than file encryption, although Cl0p previously used its own ransomware payload, Ransom.Clop, to encrypt victim files. The group is directly linked in the content to repeated exploitation of zero-day vulnerabilities in widely used enterprise software to exfiltrate data at scale and extort victims. Reported activity includes exploitation of the MOVEit Transfer zero-day CVE-2023-34362, use of the Lemurloot web shell (also detected as JS.Malscript!g1) to steal data from underlying databases, and threats to leak stolen data unless victims paid. The content also states that Cl0p/Snakefly was linked in 2021 to exploitation of multiple Accellion FTA vulnerabilities, was responsible for exploiting the GoAnywhere MFT zero-day CVE-2023-0669 in 2023, and was linked to extortion attacks against Oracle E-Business Suite users involving CVE-2025-61882, a critical unauthenticated remote code execution vulnerability. The content characterizes Snakefly/Cl0p as pioneering zero-day exploit campaigns against enterprise software and as conducting data-theft operations that can affect hundreds of organizations through a single software flaw, creating supply-chain risk where managed file transfer or other enterprise platforms are broadly used. No nation-state attribution is stated in the provided content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Associated vulnerabilities
3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.
Earlier this year it was responsible for exploiting a zero-day vulnerability (CVE-2023-0669) in the GoAnywhere MFT platform.
The original vulnerability (CVE-2023-34362) was patched on May 31... Prior to its patching, attackers linked to the Clop ransomware operation were already exploiting CVE-2023-34362 as a zero-day vulnerability. Proof-of-concept code for the exploit is now publicly available...
"Its most recent campaign came to light in October 2025, when it was linked to extortion attacks that targeted users of Oracle E-Business Suites (EBS). Snakefly exploited a critical zero-day vulnerability (CVE-2025-61882) in EBS that allowed unauthenticated attackers to remotely execute code on vulnerable systems."
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Operator behind Cl0p-associated activity highlighted for scaling encryptionless extortion by exploiting vulnerabilities in widely used enterprise software to steal data at scale and threaten publication.
Cybercrime group operating the Clop extortion/ransomware operation, with a track record of exploiting zero-day vulnerabilities in managed file-transfer products for large-scale data theft and extortion.
Pioneering “encryptionless extortion” by using zero-day exploit campaigns against enterprise software to exfiltrate data at scale and extort victims via threatened leaks; linked to attacks on Oracle E-Business Suite via a critical zero-day.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.