Clop-Linked Accellion FTA Exploits Drove Global Data Theft and Extortion
Attackers exploited vulnerabilities in the legacy Accellion File Transfer Appliance (FTA) and deployed a file-downloading web shell to steal data from organizations worldwide, triggering breaches at telecom, legal, financial, and other enterprises. Reporting tied the campaign to the Clop ransomware operation, with additional analysis suggesting overlap with FIN11, as victims including Singtel and a global law firm said their incidents stemmed from compromise at the file-sharing provider rather than direct intrusion into their own networks.
The intrusions were followed by aggressive extortion, including public leak threats and, in at least one case, the exposure of bank employee personal data to pressure payment. Subsequent government warnings said cybersecurity agencies had observed active exploitation of Accellion vulnerabilities, reinforcing the incident as part of Clop’s broader pattern of targeting managed file transfer products to conduct large-scale data theft and shaming-based extortion rather than relying solely on encryption.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Law firm attributes its data breach to compromise at file-sharing provider
A global law firm later attributed a data breach to the earlier compromise of its file-sharing provider, reflecting the long tail of victim disclosures from the Accellion incident. The statement showed that organizations continued to trace downstream breaches back to the FTA campaign.
Clop leaks bank employee data in Accellion-linked extortion campaign
Clop escalated pressure on victims by publishing personal data of bank employees as part of its extortion efforts tied to Accellion-related breaches. The leak demonstrated the group's willingness to publicly expose stolen information to force payment.
Cybersecurity agencies issue warning on exploitation of Accellion vulnerabilities
Government cybersecurity agencies published a warning about exploitation of Accellion vulnerabilities, underscoring the broader significance of the campaign and the risks posed by legacy managed file transfer products. The alert placed the Accellion incidents in the context of recurring exploitation activity against file transfer software.
Mandiant assesses FIN11 likely behind Accellion FTA intrusions
Mandiant said Accellion FTA attacks and related extortion activity were likely the work of FIN11, a financially motivated group associated with Clop operations. The assessment refined attribution by linking the exploitation to a specific threat actor cluster.
Researchers link Accellion breach extortion to Clop ransomware gang
Reporting tied the wave of Accellion-related data theft and extortion incidents affecting multiple organizations to the Clop ransomware operation. This marked a major attribution development connecting the campaign to a known cybercriminal group.
Singtel says a third-party Accellion FTA breach exposed customer data
Singapore telecommunications provider Singtel disclosed that a breach of its third-party file-sharing system, Accellion FTA, affected customer information. The incident highlighted that downstream organizations using the platform were suffering data exposure.
Researchers report a file-downloading web shell used in Accellion FTA attacks
GuidePoint Security described a targeted campaign against Accellion FTA in which attackers deployed a web shell used to download files from compromised appliances. The reporting added technical detail on how the intrusions were being carried out.
Accellion identifies additional FTA vulnerabilities and issues more fixes
After the initial disclosure, Accellion found additional vulnerabilities affecting FTA and released further patches in late December 2020 and January 2021. The expanding scope showed attackers were chaining multiple flaws against the appliance.
Accellion discloses FTA zero-day attacks and releases initial patch
Accellion disclosed that its legacy File Transfer Appliance (FTA) was being targeted in zero-day attacks and issued an initial patch for affected customers. The incidents involved exploitation of the end-of-life file transfer product to gain unauthorized access to stored files.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Cybersecurity Agencies Warn of Accellion Vulnerability Exploits
govinfosecurity.com
Open sourceCVE-2021-27104 | Tenable®
tenable.com
Open sourceCVE-2021-27101 | Tenable®
tenable.com
Open sourceCVE-2021-27103 | Tenable®
tenable.com
Open sourceGlobal Accellion data breaches linked to Clop ransomware gang
bleepingcomputer.com
Open sourceIOTW: End-Of-Life Third Party Software Responsible For Singtel Hack
cshub.com
Open sourceAccellion customers are getting ransom notices - Risky Business Media
risky.biz
Open sourceAccellion FTA Targeted by Web Shell | GuidePoint Security
guidepointsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cl0p Expands Extortion Campaigns Across File-Transfer and File-Server Targets
Cl0p has continued to target organizations through large-scale extortion campaigns tied to vulnerable file-transfer and file-server products, with reporting linking the group to an alleged breach of a New Zealand poultry producer and to activity against CentreStack file servers. Threat intelligence reporting says the group, active since at least 2019, typically steals data before encrypting systems and then pressures victims through leak-site postings and direct negotiation channels. Recent activity has been closely associated with exploitation of Cleo LexiCom, VLTrader, and Harmony via `CVE-2024-50623`, a flaw that can allow remote file upload and download and may lead to remote code execution. Researchers reported active exploitation in the wild, warned that Cleo's `5.8.0.21` patch could be bypassed, and noted that Cl0p publicly claimed dozens of victims from the Cleo campaign while historically using similar mass-exploitation tactics against Accellion FTA and MOVEit to drive data-theft and extortion operations.
May 25, 2026
Clop Ransomware Data Extortion Attacks on Gladinet CentreStack and Triofox Servers
The Clop ransomware group has initiated a widespread data extortion campaign targeting Internet-exposed Gladinet CentreStack and Triofox file servers. Attackers are exploiting multiple vulnerabilities, including CVE-2025-11371 (an unauthenticated local file inclusion flaw), CVE-2025-14611 (hardcoded cryptographic keys), and CVE-2025-12480 (a critical remote code execution vulnerability in Triofox). These vulnerabilities allow unauthorized access, file retrieval, and even remote code execution, enabling Clop to steal sensitive corporate data and leave ransom notes on compromised systems. Security researchers and incident responders have observed active exploitation across at least 200 unique IP addresses, with evidence that both zero-day and unpatched n-day vulnerabilities are being leveraged. Gladinet CentreStack and Triofox are widely used by businesses for secure file storage and sharing, making the impact of these attacks potentially significant. The Clop group’s campaign follows their established pattern of targeting file transfer and sharing solutions, having previously compromised platforms such as MOVEit, GoAnywhere, and Oracle EBS. Security updates have been released by Gladinet to address some of the exploited flaws, but the ongoing attacks highlight the importance of timely patching and monitoring of Internet-facing file sharing infrastructure. Technical analysis by VulnCheck and Mandiant has provided detailed insights into the exploitation methods, emphasizing the complexity and sophistication of the attack chain.
Mar 21, 2026
Cl0p Exploited MOVEit Zero-Days to Steal Data From Thousands of Organizations
The Cl0p extortion group exploited multiple critical SQL injection flaws in Progress Software's MOVEit Transfer platform, beginning with the zero-day later tracked as `CVE-2023-34362`, to breach organizations worldwide and steal large volumes of data. Researchers and government agencies linked the campaign to Cl0p, also tracked as Lace Tempest, `FIN11`, and `TA505`, and reported that attackers often deployed the **LemurLoot** web shell and exfiltrated files within minutes; in some cases, the malware could also pull Azure Blob storage details and credentials from MOVEit settings. Progress disclosed and patched additional MOVEit vulnerabilities, including `CVE-2023-35036` and `CVE-2023-35708`, as incident responders warned that victim counts would continue to rise through delayed breach notifications and downstream third-party exposure. The fallout spread across government, finance, healthcare, education, insurance, professional services, and major global brands, with disclosures naming entities such as EY, PwC, Sony and Pan-American Life Insurance Group among the affected organizations or reported victims. By later tallies, the campaign had compromised thousands of organizations and tens of millions of individuals, while Cl0p shifted from encryption to **data-theft and extortion**, publishing stolen information from nonpaying victims on leak sites. The incident triggered broad regulatory scrutiny, lawsuits, response costs, and supply-chain consequences as organizations discovered that exposure often came through vendors and file-transfer partners rather than direct compromise.
May 25, 2026