← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Financial Sector Supply Chain Attacks - Clop MOVEit + GoAnywhere (CISA AA23-158A) - DugganUSA
WHITE pduggusa 2025-11-30 Modified: 2025-12-30
19
IOCs
MEDIUM VOLUME
Supply chain attacks targeting financial sector file transfer systems. Clop/TA505 exploited MOVEit (CVE-2023-34362) and GoAnywhere (CVE-2023-0669) zero-days. 406 financial sector ransomware victims Apr 2024-Apr 2025 (FS-ISAC). Bank of America 57K customers exposed. ICBC $9B Treasury disruption. SOX Section 404 implications for material weakness disclosure. STIX: analytics.dugganusa.com/api/v1/stix-feed
financialbankingclopmoveitgoanywheresupply-chainsoxcisata505ransomwarefile-transferdugganusachinese-wall
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Clop LEMURLOOT DEWMODE
Indicators of Compromise (19)
All CVE FileHash-SHA256 domain email
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2023-34362 Zero-day exploited by Clop May 2023 2025-11-30
CVE CVE-2023-0669 Zero-day exploited by Clop Jan 2023 2025-11-30
CVE CVE-2024-55956 Exploited by Clop Dec 2024 2025-11-30
CVE CVE-2025-61882 Exploited by Clop Sep 2025 2025-11-30
FileHash-SHA256 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 MOVEit web shell 2025-11-30
FileHash-SHA256 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 MOVEit web shell variant 2025-11-30
FileHash-SHA256 2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5 MOVEit web shell variant 2025-11-30
FileHash-SHA256 348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d MOVEit web shell variant 2025-11-30
FileHash-SHA256 3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b MOVEit web shell variant 2025-11-30
FileHash-SHA256 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 MOVEit web shell variant 2025-11-30
FileHash-SHA256 0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3 GoAnywhere campaign malware 2025-11-30
FileHash-SHA256 a8569c78af187d603eecdc5faec860458919349eef51091893b705f466340ecd GoAnywhere campaign payload 2025-11-30
domain hiperfdhaus.com Malicious domain 2025-11-30
domain jirostrogud.com Malicious domain 2025-11-30
domain qweastradoc.com Malicious domain 2025-11-30
domain connectzoomdownload.com Phishing domain 2025-11-30
domain zoom.voyage Phishing domain 2025-11-30
email unlock@rsv-box.com Ransom contact email 2025-11-30
email unlock@support-mult.com Ransom contact email 2025-11-30
References (4)
↗ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a ↗ https://www.fsisac.com/navigatingcyber2025 ↗ https://analytics.dugganusa.com/api/v1/stix-feed ↗ https://www.dugganusa.com