The Clop ransomware gang (also known as Cl0p) is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign.

Gladinet CentreStack enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. According to Gladinet, CentreStack "is used by thousands of businesses from over 49 countries."

Since April, Gladinet has released security updates to address several other security flaws that were exploited in attacks, some of them as zero-days.

The Clop cybercrime gang is now scanning for and breaching CentreStack servers exposed online, with Curated Intel telling BleepingComputer that ransom notes are left on compromised servers.

However, there is currently no information on the vulnerability Clop is exploiting to hack into CentreStack servers. It is unclear whether this is a zero-day flaw or a previously addressed bug that the owners of the hacked systems have yet to patch.

"Incident Responders from the Curated Intelligence community have encountered a new CLOP extortion campaign targeting Internet-facing CentreStack file servers," warned threat intel group Curated Intelligence on Thursday.

"From recent port scan data, there appears to be at least 200+ unique IPs running the "CentreStack - Login" HTTP Title, making them potential targets of CLOP who is exploiting an unknown CVE (n-day or zero-day) in these systems."

Clop's data theft attacks

Clop has a long history of targeting secure file transfer products. In the past, the extortion gang has been behind other data theft campaigns targeting Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer file-sharing servers, the latter of which affected over 2,770 organizations worldwide.

Most recently, it exploited an Oracle EBS zero-day flaw (CVE-2025-61882) to steal sensitive files from many organizations since early August 2025.

The list of Oracle customers impacted includes Harvard University, The Washington Post, GlobalLogic, the University of Pennsylvania, Logitech, and the American Airlines subsidiary Envoy Air.

After breaching their systems and exfiltrating sensitive documents, Clop published the stolen data on its dark web leak site and made it available for download via Torrent.

The U.S. Department of State is offering a $10 million reward for any information that could link this cybercrime gang's attacks to a foreign government.

A Gladinet spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today