F11

fin11

FIN11

also tracked as: TA505 (Proofpoint / CISA) Lace Tempest (Microsoft) Spandex Tempest (Microsoft) DEV-0950 (Microsoft, early) Graceful Spider GOLD TAHOE (Secureworks) Hive0065 (IBM) Chimborazo

One of the volume-driven financially motivated groups in the eCrime ecosystem — notable for sheer operational scale rather than technical sophistication. Mandiant tracks FIN11 as a subset of TA505 activity with distinct post-compromise TTPs; CISA and FBI treat them as identical. FIN11 was central to building Clop ransomware's operational infrastructure and pioneered the mass file-transfer-platform zero-day exploitation model now synonymous with the Clop brand. From Accellion FTA to GoAnywhere to MOVEit Transfer (2,773 victims) to Cleo MFT and Oracle E-Business Suite, FIN11 / Clop has executed six major zero-day mass extortion campaigns since 2020 — with Clop surpassing LockBit as the volume ransomware leader in Q1 2025.

estimated originRussia / former Soviet Union (Mandiant, moderate confidence)

active since2014 (TA505); FIN11 tracked separately from 2016

primary motivationFinancial — data theft extortion; ransom demands $100K–$10M+

signature tacticZero-day exploitation of enterprise file transfer platforms at mass scale

moveit 2023 impact2,773 organizations; ~96M individuals; est. $75–100M extortion revenue

q1 2025 rankingNo. 1 most prolific ransomware group by publicly disclosed victims

fin11/ta505 attributionMandiant: FIN11 = TA505 subset; CISA/FBI: identical; industry: varies

us state dept reward$10M for info linking Clop to a foreign government

current ransomwareClop (Cl0p) — data theft extortion without encryption since ~2023

Overview

FIN11 began as a high-volume phishing-driven eCrime group — notable not for technical elegance but for sheer operational output. Mandiant first tracked them separately from TA505 in 2016 under TEMP.Warlock and UNC902, due to distinct post-compromise TTPs not observed in the broader TA505 cluster. CISA and FBI, along with Proofpoint, treat FIN11 and TA505 as the same entity. Mandiant's nuanced position — that FIN11 is a subset of TA505 activity but not TA505 in its entirety — reflects the operational reality that FIN11 represents a specific subgroup within a larger criminal services ecosystem that includes multiple operators, service providers, and affiliates.

FIN11's monetization strategy has evolved distinctly across three phases. Through 2018, the group operated point-of-sale (POS) malware campaigns against financial, retail, restaurant, and pharmaceutical sectors. From 2019, Clop ransomware was introduced as a final-stage payload in phishing campaigns using the Get2 dropper, SDBot, and FlawedGrace to deliver double-extortion ransomware. From approximately 2021 — and decisively after 2023 — the group transitioned to a pure data theft extortion model: exploit zero-day vulnerabilities in widely deployed enterprise file transfer platforms, silently exfiltrate large volumes of sensitive data from many organizations simultaneously, then weeks later launch a branded extortion campaign demanding payment in exchange for not publishing the data on the Cl0p^_-LEAKS data leak site. Encryption ransomware was largely abandoned in favor of this higher-volume, lower-complexity model.

The mass file-transfer-platform exploitation model is FIN11's defining innovation. The strategic logic is straightforward: enterprise file transfer platforms (Accellion FTA, GoAnywhere MFT, MOVEit Transfer, Cleo Harmony/VLTrader/LexiCom, Oracle E-Business Suite) store or process sensitive data from many customers, are frequently internet-exposed, and a single zero-day in one platform affects all its users simultaneously. By focusing exploitation on the platform rather than individual target networks, FIN11 can compromise hundreds to thousands of organizations in a single campaign without needing to perform lateral movement in each victim environment. The MOVEit Transfer campaign in May–June 2023 — 2,773 organizations affected, roughly 96 million individuals whose data was exposed — is the operational scale that illustrates the model's impact when a widely deployed platform yields to a single critical vulnerability.

Mandiant assessed with moderate confidence that FIN11 is based inside the former Soviet Union, based on Russian-language file metadata and keyboard layouts in analyzed samples, and the group's consistent avoidance of targets in former Soviet Union countries. This geographic avoidance — a pattern shared with many Russian-speaking cybercrime groups — is a deliberate operational security choice consistent with unofficial protection under Russian law, which generally does not prosecute cybercrime against foreign entities.

Attribution Note — FIN11 vs TA505

The FIN11 / TA505 attribution question is analytically important and directly affects how defenders should frame threat intelligence. The key positions are:

Mandiant position: FIN11 is a subset of TA505 with distinct post-compromise TTPs. FIN11 does not include all TA505 activity, and Mandiant explicitly cautions against using the names interchangeably. FIN11 was carved out from TA505 specifically because certain post-compromise behaviors — particularly the shift to ransomware and extortion — were distinct and consistent enough to warrant a separate tracking cluster. Mandiant has also merged multiple tracked clusters (UNC2546, UNC2582, UNC4857, UNC5936) into FIN11 as evidence accumulated.
CISA / FBI position: Clop and TA505 are identical. The joint advisory AA23-158A uses TA505 and Clop interchangeably and does not maintain the FIN11 / TA505 distinction. This represents a pragmatic operational attribution rather than an analytical one.
Proofpoint position: TA505 is the full threat cluster designation; Proofpoint does not use the FIN11 designation.
Microsoft position: Tracks the operator as Lace Tempest (more recently Spandex Tempest), explicitly attributed as an affiliate of the Clop RaaS operation. Microsoft confirmed Lace Tempest was responsible for the MOVEit exploitation.
Practical implication for defenders: CISA advisories, FBI alerts, and CISA KEV entries will use TA505 or Cl0p as the attribution. Mandiant incident response reporting will use FIN11 or UNC cluster designations. When cross-referencing across sources, treat all of FIN11, TA505, Lace Tempest, Spandex Tempest, DEV-0950, Graceful Spider, and the Cl0p brand as overlapping references to the same core operator cluster, with the understanding that Cl0p as a ransomware brand may be used by additional affiliates beyond the core FIN11 group.

Campaign Timeline — Zero-Day MFT Exploitation Series

Six documented mass exploitation campaigns since late 2020, each following the same model: identify zero-day in a widely deployed enterprise platform, exploit at scale, silently exfiltrate data, then launch branded extortion weeks later.

Dec 2020–Feb 2021

Accellion File Transfer Appliance (FTA)

FIN11 exploited four zero-day vulnerabilities in the Accellion legacy FTA platform, deploying the DEWMODE web shell to exfiltrate sensitive data from approximately 100 organizations. Victims included law firms, financial institutions, retailers, and government agencies. The DEWMODE web shell enabled FTP-level access to staged exfiltrated content. This campaign established the mass file-transfer exploitation model that FIN11 would refine in all subsequent campaigns.

CVE-2021-27101 CVE-2021-27102 CVE-2021-27103 CVE-2021-27104 ~100 organizations

Jan–Mar 2023

Fortra GoAnywhere MFT

In late January 2023, Clop exploited a zero-day remote code execution vulnerability in Fortra's GoAnywhere MFT platform. The group claimed data theft from approximately 130 victims over a 10-day exploitation window. Lateral movement beyond the GoAnywhere platform itself was not identified, consistent with the model of staying within the file transfer system's data scope rather than pivoting further into victim networks. Extortion demands were sent weeks after the exploitation window closed, consistent with the delayed extortion pattern documented in all Clop campaigns.

CVE-2023-0669 ~130 organizations

May–Jun 2023

Progress MOVEit Transfer — Largest Campaign

Exploitation began May 27, 2023 — in some cases data was exfiltrated within minutes of web shell deployment. Progress Software disclosed the vulnerability on May 31. FIN11 deployed the LEMURLOOT web shell (filenames masquerading as human.aspx, a legitimate MOVEit component) to steal data from underlying databases. Mandiant initially tracked as UNC4857, merged into FIN11 on June 6, 2023. The CL0P^_-LEAKS data leak site posted responsibility on June 6 and began naming victims who refused to pay. The campaign affected 2,773 organizations worldwide — the largest single cybercrime operation by victim count in the period. Victims included US federal agencies (USDA, Department of Energy), British Airways, the BBC, Zellis payroll, Shell, Siemens Energy, and hundreds of universities, financial institutions, and healthcare providers. Estimated extortion revenue: $75–100 million. Clop stated it deleted data stolen from governments, military organizations, and children's hospitals — a claim not independently verified.

CVE-2023-34362 (CVSS 9.8) 2,773 organizations / ~96M individuals

Nov–Dec 2024

Cleo MFT — Harmony, VLTrader, LexiCom

In October 2024, a file upload/download vulnerability (CVE-2024-50623) was patched in Cleo's managed file transfer products. In December 2024, the patch was found insufficient, and a new zero-day (CVE-2024-55956) was exploited by Clop. The cluster tracked as UNC5936 — a suspected FIN11 affiliate — deployed GOLDVEIN (a PowerShell downloader) and GOLDTOMB (a backdoor) in victim environments. Over 380 confirmed victims by initial reporting; the group claimed over 400 victims in the first quarter of 2025, as victim naming continued into early 2025. Clop surpassed LockBit as the leading ransomware group by disclosed victim count in Q4 2024.

CVE-2024-50623 CVE-2024-55956 400+ organizations

Aug–Oct 2025

Oracle E-Business Suite — Sixth Major Campaign

Suspicious activity targeting the UiServlet component of Oracle E-Business Suite was detected as early as July 10, 2025. Exploitation using CVE-2025-61882 (CVSS 9.8) — a pre-authentication remote code execution vulnerability in Oracle EBS's Concurrent Processing module / BI Publisher Integration — began August 9, 2025. A second zero-day (CVE-2025-61884) in Oracle Configurator's Runtime UI was also exploited. Oracle initially linked the campaign to already-patched vulnerabilities before acknowledging the new zero-days. On September 29, 2025, Clop launched a high-volume extortion email campaign to executives at hundreds of organizations, sent via compromised third-party email accounts. Mandiant confirmed two of the compromised sender accounts had been used in prior FIN11 campaigns. GOLDVEIN.JAVA (a Java variant of the Cleo campaign tool) and a new SAGEGIFT/SAGELEAF implant framework were used. Confirmed victims include the Washington Post, Envoy Air (American Airlines subsidiary), GlobalLogic (Hitachi), Harvard University, and University of Phoenix (3.5 million individuals notified). Oracle issued emergency patches in early October 2025. By November 2025, 103+ organizations were listed on Clop's leak site across healthcare, manufacturing, finance, automotive, logistics, retail, education, and energy sectors.

CVE-2025-61882 (CVSS 9.8) CVE-2025-61884 (CVSS 7.5) 103+ named; scope ongoing

Tactics, Techniques & Procedures

FIN11 / TA505 TTPs as documented by Mandiant, Microsoft (Lace Tempest attribution), CISA AA23-158A, HC3 FIN11 Threat Profile, and the CISA/FBI/NSA joint advisories.

mitre id	technique	description
T1190	Zero-Day Exploitation of Public-Facing MFT / ERP Systems	FIN11's defining post-2020 initial access technique. The group identifies and exploits zero-day vulnerabilities in widely deployed enterprise file transfer and ERP platforms — Accellion FTA, GoAnywhere MFT, MOVEit Transfer, Cleo Harmony/VLTrader/LexiCom, and Oracle EBS — before patches are available. SQL injection (MOVEit), unrestricted file upload (Cleo), and pre-authentication RCE via SSRF/CRLF chaining (Oracle EBS) have all been documented as exploitation mechanisms. Exploitation typically begins weeks before public disclosure, with FIN11 deliberately extending the exploitation window to increase the number of victims and maximize extortion leverage.
T1505.003	Web Shell Deployment — LEMURLOOT, DEWMODE	Following successful exploitation, FIN11 deploys web shells for persistent data access and exfiltration capability. LEMURLOOT was the web shell deployed in the MOVEit campaign, with filenames (human.aspx) deliberately chosen to impersonate legitimate MOVEit Transfer components. DEWMODE was deployed in the Accellion FTA campaign. GOLDVEIN (PowerShell) and GOLDTOMB (backdoor) were deployed in the Cleo MFT campaign by UNC5936. The Oracle EBS campaign used GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE — a Java-based implant framework targeting Oracle WebLogic servers. Web shells and backdoors are used to automate data collection from the file transfer platform's database rather than to pivot into victim networks.
T1537 / T1041	Rapid Mass Data Exfiltration	Following web shell deployment, FIN11 conducts automated data exfiltration from the compromised file transfer platform's underlying database. In some MOVEit instances, data theft occurred within minutes of LEMURLOOT deployment. The group typically does not perform lateral movement into victim internal networks — it stays within the file transfer platform's data scope, which already contains sensitive data from the platform's users. This lateral-movement-free approach is efficient at scale: hundreds of organizations can be processed through the same exploitation and exfiltration pipeline without requiring individual network access for each victim.
T1657 / T1486	Delayed Extortion — Data Leak Site (Cl0p^_-LEAKS)	FIN11 deliberately delays initiating extortion contact with victims by several weeks after exploitation. Mandiant assessed this delay serves to extend the exploitation window — keeping the zero-day undetected — and to enable the group to negotiate with a large volume of victims simultaneously rather than sequentially. In the GoAnywhere campaign, extortion notes were sent to executives. In MOVEit, Clop required victims to initiate contact via the Cl0p^_-LEAKS data leak site. In Oracle EBS, high-volume extortion emails were sent from hundreds of compromised third-party accounts (not a single mail server) to executives across all victim organizations on a single day. Organizations that pay receive assurances their data will not be published; non-paying organizations are named on the DLS and data is released or sold.
T1566.001	High-Volume Phishing (Historic / Pre-2020)	FIN11's pre-2020 operational model relied on high-volume malspam campaigns distributing the Get2 dropper, which loaded SDBot for reconnaissance and FlawedGrace or FlawedAmmyy for persistent access, ultimately delivering Clop ransomware or POS malware as final payloads. At peak volume, campaigns sent thousands to tens of thousands of messages. Malware families associated with this phase: Dridex, Locky, TrickBot, ServHelper, MirrorBlast, SDBbot, FlawedAmmyy, FlawedGrace. Most of these phishing-era TTPs have been retired — the post-2020 zero-day model replaced mass phishing as the primary initial access vector.
T1078 / T1553.002	Valid Accounts and Signed Binary Abuse	The original Clop ransomware payload used verified and digitally signed binaries — signed with legitimate code signing certificates — to masquerade as trusted software and bypass system defenses. This allowed Clop to evade signature-based antivirus detection at deployment. The use of legitimate code signing certificates for malicious payloads is a documented FIN11 / TA505 TTP across both the early phishing campaigns and ransomware deployment phases.

Indicators of Compromise

post-exploitation detection note

FIN11's zero-day exploitation campaigns are typically active for weeks before public disclosure — during which no CVE exists and no signature-based detection is possible. Defenders should prioritize behavioral detection of web shell activity on file transfer platforms, unexpected database queries originating from web application processes, and anomalous outbound data transfers from file transfer servers. CISA AA23-158A contains the most complete current MOVEit LEMURLOOT IOC set. The Oracle EBS advisory (Oct 2025) and Mandiant's GTIG report contain GOLDVEIN.JAVA / SAGEGIFT / SAGELEAF IOCs. Full indicator lists including YARA rules are in the referenced advisories.

indicators of compromise — key technical identifiers by campaign

moveit webshell name human.aspx — LEMURLOOT web shell impersonating legitimate MOVEit Transfer component

moveit webshell path C:\MOVEitTransfer\wwwroot\human.aspx (or guestaccess.aspx references preceding LEMURLOOT interaction)

accellion webshell DEWMODE — deployed on Accellion FTA servers; provides FTP-level access to staged exfiltrated data

cleo malware (powershell) GOLDVEIN — PowerShell downloader; first observed Dec 2024 Cleo campaign; UNC5936 cluster

cleo malware (backdoor) GOLDTOMB — backdoor deployed by GOLDVEIN; UNC5936 cluster

oracle ebs malware GOLDVEIN.JAVA — Java variant of GOLDVEIN; SAGEGIFT (Java reflective class loader for WebLogic); SAGELEAF (in-memory dropper); SAGEWAVE (Java servlet filter)

oracle ebs exploit target UiServlet component; TemplatePreviewPG endpoint; XDO_TEMPLATES_B and XDO_LOBS database tables; applmgr EBS account misuse

oracle ebs exploit ip 200.107.207[.]26 — observed in initial suspicious HTTP requests to UiServlet (Jul 2025, Oracle advisory)

extortion contact pattern Cl0p^_-LEAKS data leak site (Tor); extortion emails sent from hundreds of compromised legitimate third-party accounts (Oracle EBS campaign pattern); upper-level executive recipients

full ioc references CISA AA23-158A (MOVEit / TA505); Mandiant GTIG Oracle EBS report (Oct 2025); CISA/FBI Cleo advisory (Dec 2024); CISA AA23-158A LEMURLOOT YARA rules

Mitigation & Defense

Patch Enterprise File Transfer and ERP Platforms as Zero-Day Priority: FIN11's entire post-2020 model depends on exploiting internet-facing file transfer and ERP platforms before patches are available. Maintain aggressive patch management for all products that have appeared in prior FIN11 campaigns: Accellion FTA (EOL — replace), GoAnywhere MFT, MOVEit Transfer, Cleo Harmony/VLTrader/LexiCom, and Oracle E-Business Suite. Implement CISA's Known Exploited Vulnerabilities (KEV) catalog as a mandatory patch SLA baseline — Clop-exploited vulnerabilities are added to KEV immediately upon public disclosure.
Restrict Internet Exposure of File Transfer Platforms: All documented FIN11 mass campaigns exploited internet-facing instances of file transfer platforms. Placing MFT platforms behind VPNs, limiting access to known IP ranges, and removing direct internet exposure significantly reduces attack surface. Where internet exposure is required by business function, implement web application firewalls (WAF) with virtual patching capability to provide protection before vendor patches are available.
Web Shell Detection on File Transfer Servers: LEMURLOOT, DEWMODE, and related web shells are deployed on the web-accessible directory of the file transfer platform. Implement file integrity monitoring specifically for the web root directory of any MFT or ERP platform — unexpected ASPX, PHP, or JSP files in the web root should generate an immediate critical alert. For Oracle EBS specifically, monitor XDO_TEMPLATES_B and XDO_LOBS tables for unexpected template insertion and TemplatePreviewPG endpoint access with unusual parameters.
Database Query Anomaly Detection on MFT Platforms: FIN11 uses LEMURLOOT and similar web shells to query and export underlying MFT database contents rather than pivoting into the internal network. Monitor for unexpected SQL query execution originating from web application processes, particularly queries accessing file storage tables, user data tables, or bulk data export operations. Alert on database connections from IIS worker processes or Java application servers that are not part of the normal application flow.
Executive Extortion Email Preparedness: FIN11's extortion phase targets company executives with emails claiming data theft. Establish a documented incident response procedure for executive receipt of Clop extortion emails — including retaining the email for forensic analysis, immediately alerting the security team, and engaging legal counsel before any response to the extortion demand. Confirm whether the organization uses the listed platform before assuming breach. In the Oracle EBS campaign, extortion emails were sent from compromised legitimate accounts — meaning sender reputation alone is not a reliable filter.
Check CISA KEV for All Critical Business Platforms: Clop campaigns have exploited vulnerabilities that were added to the CISA KEV catalog as critical exploited vulnerabilities. Federal agencies are legally required to patch KEV entries within specified timeframes; private sector organizations should treat KEV as an emergency patch trigger regardless of their CVSS score assessments. The CVEs exploited by Clop consistently score 9.8 (CVSS critical) and are internet-exploitable without authentication.

analyst note

FIN11 / Clop represents a fundamental shift in how large-scale cybercrime monetization works. The traditional ransomware model — compromise a single organization, encrypt its systems, demand decryption payment — was optimized for victim-by-victim negotiation and required lateral movement in each target environment. FIN11's mass file-transfer exploitation model eliminates both constraints: find one zero-day in one widely deployed platform, extract data from all users of that platform simultaneously, then run parallel extortion negotiations with hundreds of organizations at once. The MOVEit campaign's 2,773 victims and estimated $75–100 million in extortion revenue demonstrates the economic efficiency of this model at scale. The progression from Accellion to GoAnywhere to MOVEit to Cleo to Oracle EBS shows a deliberate research program identifying enterprise platforms with high customer counts and internet-exposed architectures — not opportunistic targeting. The six-campaign timeline spanning five years with no substantive law enforcement disruption also reflects the operational security advantages of Russia-based criminal operations, which benefit from the absence of cooperative extradition and active law enforcement protection inferred from the group's consistent avoidance of CIS-country targets. The US State Department's $10 million reward for information linking Clop to a foreign government acknowledges but has not resolved the question of Russian state tolerance or support for the group's operations.

Sources & Further Reading

— end of profile