CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE

Nov. 5, 2025, 10:58 a.m.

Description

The report analyzes the network infrastructure used by the Clop ransomware group, focusing on their exploitation of CVE-2025-61882 in Oracle EBS. It identifies 96 IP addresses associated with a specific fingerprint, with Germany, Brazil, and Panama being prominent locations. The analysis reveals significant overlap with IP subnets used in previous Clop attacks, including the MOVit and FORTRA Go-Anywhere exploits. The report highlights the group's tendency to reuse infrastructure and their shift away from Russian IPs. It also provides high-confidence fingerprints and subnet patterns associated with Clop operations, offering insights into their attack methodology and infrastructure preferences.

External References

https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/
https://otx.alienvault.com/pulse/690b1b175f4f05eaf8f6c0e0
Tags
ransomware
CVE-2023-0669
cyclops blink
infrastructure
CVE-2023-34362
CVE-2025-61882
2025-11-05
cryptomix
oracle ebs
fingerprints
ip addresses
network analysis

Date

  • Created: Nov. 5, 2025, 9:38 a.m.
  • Published: Nov. 5, 2025, 9:38 a.m.
  • Modified: Nov. 5, 2025, 10:58 a.m.

Indicators

  • f95812cbb46f0a664a8f2200592369b105d17dfe8255054963aac4e2df53df51
  • bd613b3be57f18c3bceb0aaf86a28ad8b6df7f9bccacf58044f1068d1787f8a5
  • b1eff60fe6c57a5a4d1136b7d2c711d058aae6d0242ba4aa1a00c3027cbdca09
  • aa6d071d787ea8e8d054f7a699301f732cf73552d1df09a0155a5307b43df293
  • 8c614d8111aca771e32ed304b9253992c5c7c8faa5b62c9141aaca595f061df3
  • 7b04ac63dc41d61d409b936d2fdce47c255461f0d1d5ae86a9ddecd39e964548
  • 6877d8531901040aedfc7dc3d9af121bf1800c66c8960a60cc3fd4c361135869
  • 5cce1b8f04cb3766b2d70738ad35c5d8b0ef1e802f193baccc5058478e9859a3
  • 678266acbbb36795e41a210f15e25af212a2e65f34c282cb52c023ba55e164d5
  • 43c8923f1ed3fcac411db874e2facc611254be1def53d72638321ed57663588a
  • 2c0c80c66246d13871f05b663d42767b0e7511df9ab18c26d3504b0ae80b2045
  • 1234387dc20796ac8142d46b173bc635339c5041e2b108ca07274a90cc512268
  • 96.44.181.131
  • 92.118.36.249
  • 92.118.36.204
  • 91.238.181.236
  • 91.238.181.229
  • 91.222.174.68
  • 88.214.27.72
  • 88.214.27.43
  • 88.214.27.179
  • 88.214.27.177
  • 88.214.27.175
  • 88.214.27.172
  • 88.214.26.38
  • 88.214.26.37
  • 88.214.26.25
  • 88.214.25.243
  • 88.214.25.242
  • 88.214.25.228
  • 88.214.25.221
  • 88.214.25.214
  • 88.214.25.213
  • 88.214.25.211
  • 82.117.252.142
  • 82.117.252.141
  • 81.56.49.148
  • 81.19.138.52
  • 81.19.136.231
  • 78.128.112.222
  • 79.141.160.78
  • 78.128.112.138
  • 78.128.112.137
  • 76.117.196.3
  • 68.183.120.53
  • 54.39.133.41
  • 5.42.246.34
  • 5.34.180.48
  • 5.34.178.31
  • 5.34.178.30
  • 5.34.178.28
  • 5.188.87.46
  • 5.188.87.38
  • 5.188.86.231
  • 5.188.86.217
  • 5.188.86.213
  • 5.188.86.206
  • 5.188.86.205
  • 5.188.86.189
  • 5.188.86.185
  • 5.188.86.184
  • 5.188.86.163
  • 5.188.206.214
  • 5.178.1.19
  • 5.178.1.17
  • 5.178.1.16
  • 5.178.1.13
  • 5.178.1.12
  • 46.161.27.158
  • 46.161.27.155
  • 46.161.27.113
  • 45.227.255.31
  • 45.227.255.29
  • 45.227.255.214
  • 45.227.253.29
  • 45.227.252.226
  • 45.227.252.199
  • 45.182.189.72
  • 45.182.189.224
  • 45.182.189.194
  • 45.182.189.183
  • 45.182.189.181
  • 45.182.189.107
  • 45.182.189.109
  • 45.156.248.206
  • 45.145.20.212
  • 37.156.246.168
  • 37.156.246.165
  • 37.156.246.166
  • 31.41.33.242
  • 31.41.33.241
  • 31.41.33.240
  • 216.144.248.20
  • 213.121.182.84
  • 209.222.98.25
  • 208.115.199.25
  • 200.107.207.15
  • 200.107.207.31
  • 200.107.207.102
  • 198.137.247.10
  • 194.34.239.44
  • 194.34.239.36
  • 194.34.239.33
  • 194.165.16.93
  • 194.165.16.92
  • 194.165.16.54
  • 194.165.16.113
  • 193.29.13.240
  • 193.29.13.153
  • 193.29.13.150
  • 193.24.211.249
  • 193.24.211.244
  • 193.24.211.242
  • 193.24.211.240
  • 193.142.30.99
  • 193.142.30.66
  • 193.142.30.39
  • 193.142.30.37
  • 193.142.30.242
  • 193.142.30.205
  • 193.142.30.194
  • 193.142.30.165
  • 193.142.30.144
  • 193.142.30.137
  • 193.142.30.134
  • 193.142.30.100
  • 185.99.3.99
  • 185.81.113.156
  • 185.80.52.230
  • 185.55.242.97
  • 185.33.87.126
  • 185.33.86.225
  • 185.232.67.15
  • 185.232.67.101
  • 185.117.88.2
  • 185.104.194.134
  • 179.60.150.151
  • 179.60.150.132
  • 179.60.150.121
  • 179.60.149.249
  • 179.60.149.244
  • 179.60.149.223
  • 179.60.145.216
  • 173.254.236.131
  • 166.70.47.90
  • 161.97.99.49
  • 15.235.83.73
  • 148.113.159.213
  • 147.78.46.97
  • 147.78.46.81
  • 147.78.46.69
  • 147.78.46.26
  • 147.78.46.164
  • 147.78.46.163
  • 147.78.46.134
  • 147.78.46.117
  • 147.78.46.115
  • 147.78.46.112
  • 147.45.112.253
  • 147.45.112.231
  • 147.45.112.220
  • 147.45.112.205
  • 147.45.112.203
  • 142.44.212.178
  • 141.98.82.242
  • 141.98.82.198
  • 104.200.72.149
  • 103.214.147.187
  • 103.214.147.182
  • 103.214.147.181
  • 103.214.147.178
  • 103.214.147.177
  • 103.214.147.176
  • 162.55.17.215
  • 104.194.11.200
  • 200.107.207.26
  • 185.181.60.11
  • 147.45.112.219
  • 45.227.255.74
  • 45.227.255.28
  • 91.199.163.65
  • 91.199.163.59
  • 5.188.87.37
  • 5.188.86.66
  • 5.188.86.70
  • 5.188.86.71
  • 5.188.86.72
  • 5.188.86.162
  • 5.188.87.35
  • 5.188.87.40
  • 5.188.87.49
  • 147.78.47.178
  • 147.78.47.243
  • 147.78.47.236
  • 5.188.87.39
  • http://200.107.207.15/37:
  • pubstorm.net
  • pubstorm.com
  • in2pay.com
  • he1p-me.com
  • he1p-center.com
  • goto-pay.com
  • cl-leaks.com
Download all indicators here!

Attack Patterns

  • CryptoMix
  • Cyclops Blink - S0687
  • Clop

Additional Informations

  • Technology
  • Finance
  • Government
  • Panama
  • Netherlands
  • Canada
  • Germany
  • Brazil
  • United States of America
  • Russian Federation