This report confirms a high-severity, multi-vector compromise of the National Health Service (nhs.uk). Intelligence dated November 11, 2025, confirms nhs.uk has been listed on the “CL0P^_- LEAKS” dark web extortion site. This site is operated by the prolific, financially-motivated threat actor group TA505.

Key Insight: The “Two-Front War”: Analysis of the available intelligence indicates this is not a single incident. The organization is facing two simultaneous, distinct, and critical attacks that require parallel and immediate response:

1. Incident 1 (Systemic Breach): A “Big Game” data exfiltration and extortion attack by the CL0P (TA505) group. We assess with high confidence this attack was not a traditional ransomware (encryption) event, but rather a large-scale data theft campaign. This breach was almost certainly achieved by exploiting Cleo Managed File Transfer (MFT) zero-day vulnerabilities (CVE-2024-50623, CVE-2024-55956). This campaign is systemic, targeted, and has resulted in a massive, currently unquantified data breach, impacting the organization at its core.
2. Incident 2 (Widespread Compromise): A concurrent, high-volume “commodity” campaign by infostealer malware, primarily Vidar and X-FILES, targeting individual users (staff, patients, partners). This has resulted in the mass harvesting of NHS-related credentials for critical external-facing portals, including access.login.nhs.uk, jobs.nhs.uk, and Outlook Web Access (OWA). These credentials and the associated “logs” are actively being sold on dark web marketplaces like Exodus Market and Olux Shop.

Victim Scope: The “victim size” must be understood in two distinct parts.

• For Incident 1, the victim is the entire NHS organization, which has been listed alongside more than 66 other global enterprises (e.g., PricewaterhouseCoopers, Shell, Siemens Energy, Deloitte) breached in the same Cleo MFT campaign.
• For Incident 2, the victims are a large and growing number of individual users—staff, patients, and job applicants—whose accounts are now fully compromised and whose credentials are in the hands of multiple unknown threat actors.

Immediate Action Required: The Security Operations Center (SOC) must immediately initiate two parallel, high-priority workstreams:

1. Incident Response (IR) for Incident 1: A full-scale incident response must be launched, commencing with an emergency audit and immediate patching of all Cleo MFT assets. All data that has transited these systems must be assumed exfiltrated and compromised.
2. Containment for Incident 2: An immediate, mass-scale credential invalidation and forced password reset for all known-compromised accounts (listed in Section V) is required. This must be paired with an emergency rollout of mandatory Multi-Factor Authentication (MFA) on all affected portals.

Third-Order Implication: The two incidents, while likely operationally separate, create a compounding crisis. The commodity infostealer logs from Incident 2 provide a “fuel source” of initial access credentials for other threat actors (e.g., ransomware-as-a-service affiliates, Initial Access Brokers). These actors can and will use the stolen credentials to launch new attacks. This is exacerbated by the fact that the X-FILES stealer is known to capture session cookies, which can be used to bypass MFA. These secondary attackers will attempt to move laterally and establish persistence, all while the organization’s leadership and security teams are consumed by the CL0P data breach (Incident 1).

Incident 1: CL0P Extortion Campaign

This section provides a detailed analysis of the systemic, server-side breach that led to the CL0P^_- LEAKS dark web posting.

Threat Actor Profile

Identity: The threat actor TA505 (also known as the CL0P group, and overlapping with FIN11) is a highly sophisticated, financially motivated cybercrime syndicate believed to be Russian-speaking. The group has been operational since at least 2014 and is responsible for some of the most significant and widespread campaigns in recent history.

Modus Operandi: TA505’s history is one of evolution. The group was initially known for operating one of the largest botnets in the world, distributing malware via massive phishing and malspam campaigns. They were early adopters of ransomware, leveraging the CL0P variant (an evolution of the CryptoMix family) in “Ransomware as a Service” (RaaS) operations.

Pivotal TTP Evolution: A critical shift in TA505’s tactics has been observed. Historically, the group was synonymous with the “double-extortion” model: first exfiltrating sensitive data, then encrypting the victim’s network and demanding a ransom for both the decryption key and the deletion of the stolen data.

However, beginning with a slowdown in 2023, the group has dramatically pivoted its strategy. TA505 has moved away from the noisy, disruptive, and technically complex deployment of ransomware. The group now focuses almost exclusively on a new model: data-stealing-and-extortion. This new TTP, observed in the 2023 MOVEit campaign and now this 2024-2025 Cleo campaign, focuses on identifying and exploiting zero-day vulnerabilities in enterprise-grade Managed File Transfer (MFT) solutions. This allows the group to conduct a “low-and-slow,” stealthy exfiltration of massive volumes of data without ever deploying a ransomware payload. The extortion demand is based solely on the threat of leaking the stolen data. The listing of nhs.uk on their leak site is the final stage of this new, streamlined kill chain.

Campaign Analysis

The intelligence listing nhs.uk is not an isolated event. The victim is listed alongside a “who’s who” of global corporations, including PricewaterhouseCoopers (PwC), Ernst & Young (EY), Deloitte, Shell, Siemens-Energy, and Schneider Electric. This victimology is a perfect match for the known list of companies compromised in the large-scale “Cleo” campaign that took place in late 2024 and early 2025.

Initial Access

• Vector: The attack vector was enterprise-grade Managed File Transfer (MFT) software developed by Cleo. The specific affected products are Cleo LexiCom, Cleo VLTrader, and Cleo Harmony. These platforms are designed for the secure exchange of sensitive documents between business partners, making them an ideal, high-value target for a data theft group like CL0P.
• Vulnerability 1: CVE-2024-50623: This was the initial vulnerability exploited by TA505, likely in or before October 2024. It is described as an unrestricted file upload and download vulnerability that directly leads to Remote Code Execution (RCE) on the underlying server. CISA added this to its Known Exploited Vulnerabilities (KEV) catalog in December 2024.
• Vulnerability 2: CVE-2024-55956: This is a second vulnerability that was exploited after Cleo released an initial patch for CVE-2024-50623. This vulnerability allows an unauthenticated, remote attacker to execute arbitrary PowerShell or Bash/script code by manipulating the autorun directory. This demonstrates TA505’s high level of sophistication, as they either discovered a patch bypass or had a second, independent zero-day vulnerability in reserve to continue their campaign.

Execution and Defense Evasion

• Upon gaining RCE, CL0P operators executed arbitrary commands to enumerate the host system and connected network resources. The TTPs associated with CVE-2024-55956 specifically mention the execution of PowerShell and Bash scripts.
• This TTP is consistent with, though slightly different from, their 2023 MOVEit campaign, where they were known to deploy a specific web shell named LEMURLOOT to maintain persistence and steal data. The IRT should hunt for both specific Cleo-related script execution and historical CL0P web shells. Research also notes that other, smaller groups (like “Termite”) may have also exploited these vulnerabilities, which can complicate forensic attribution efforts.

Collection and Exfiltration

• The singular goal of this campaign was data theft. After compromising the MFT servers, the attackers identified and exfiltrated sensitive data stores accessible to or transiting these systems.
• The victim list in the intel provides a critical clue to the nature of the data stolen. The presence of major consulting firms (PwC, EY, Deloitte), energy giants (Shell, Siemens), and logistics providers (Blue Yonder) alongside the NHS implies these MFT servers were being used for B2B data exchange. The data exfiltrated from the NHS is therefore highly likely to include not just internal data, but also highly sensitive inter-organizational data, such as contracts, financial reports, supply chain details, and PII/PHI shared with partners.

Impact: Extortion

• The intelligence showing the santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion leak site is the final stage of the attack.
• The taunt, “The company doesn’t care about its customers, it ignored their security!!!” is a standard CL0P tactic to apply public pressure.
• Research confirms the timeline: on December 24, 2024, CL0P announced they had breached 66 companies in the “Cleo” attack and gave them a 48-hour deadline to initiate contact via secure chat or email. The public listing of nhs.uk on November 11, 2025, indicates the organization (along with the others listed) either did not respond to the extortion demand or refused to negotiate, prompting the attackers to follow through on their threat to “name and shame.”

Victim Size (Incident 1)

• The “victim size” for this incident is organizational.
• Direct Victim: The National Health Service (nhs.uk), listed with its headquarters, phone, and a “Revenue: $234 Billion”.
• Campaign Victims: The NHS is one victim in a massive, systemic campaign. Research indicates at least 66 organizations were compromised, and intelligence and supporting research confirm the list of co-victims includes:
  • PricewaterhouseCoopers (PwC)
  • Ernst & Young (EY)
  • Deloitte
  • Shell
  • Siemens Energy
  • Schneider Electric (SE.com)
  • Cognizant
  • AON
  • Blue Yonder
  • Washington Post
  • Sony
  • Logitech
  • And dozens more.
• Data Impact: The total volume of data exfiltrated from the NHS is unknown but, based on the nature of MFT software and the scale of the organization, is presumed to be in the terabytes and to contain a high volume of extremely sensitive patient data (PHI), personally identifiable information (PII), and strategic/financial operational data.

Incident 2: Credential Compromise

This section details the concurrent, widespread, and client-side compromise of individual user accounts, which poses a separate and immediate threat.

The Threat Vector

While the CL0P breach (Incident 1) was a targeted, server-side attack, the intelligence reveals a simultaneous, high-volume, client-side problem. This is the “business-as-usual” economy of cybercrime, which revolves around infostealer malware and the marketplaces that sell the stolen data.

The kill chain is simple and effective:

1. Malware: Infostealer-as-a-Service malware, such as Vidar and X-FILES, is deployed via large-scale malspam campaigns, social engineering, or fake software installers.
2. Infection: Individual users (NHS staff, patients, job applicants) are infected on their personal or unmanaged devices.
3. Theft: The malware activates, scrapes credentials, browser cookies, system information, and cryptocurrency wallet data from the victim’s machine.
4. Sale: The collected data, packaged as a “log” (representing one infected user), is exfiltrated to the malware’s C2 server and then sold on dark web marketplaces.

The intelligence data provides concrete evidence of this ecosystem targeting the NHS:

Marketplace Profile: Exodus Market

• The intel shows at least 10 distinct hits for nhs.uk credentials and access on Exodus Market over a 24-hour period (Nov 10, 2025).
• Research confirms that Exodus Market is a major, emerging platform specializing in the sale of stealer logs. It provides a high-volume, low-cost “treasure trove” for other cybercriminals (e.g., Initial Access Brokers) to purchase, enabling a wide variety of follow-on attacks like identity theft, financial fraud, and corporate network intrusion.

Marketplace Profile: Olux Shop

• The intel shows a specific, high-value credential for sale on Olux Shop: https://hqcas01.dhc.nhs.uk/owa/auth/logon.aspx (Outlook Web Access).
• The sale of authenticated OWA access is particularly critical. This provides an attacker with a direct, trusted entry point into the organization’s internal email system. From there, they can conduct internal spear-phishing, reset passwords for other internal systems, access sensitive communications, and exfiltrate data, all while appearing to be a legitimate employee.

Malware Analysis

The intelligence logs explicitly name the malware families responsible for harvesting the stolen NHS credentials.

Vidar Stealer

• TTPs: Vidar is one of the most common and successful Infostealer-as-a-Service (IaaS) families, first appearing in 2018. Its primary delivery vectors include email (malspam), malicious ISO file attachments, and fake installers for legitimate software such as Adobe Photoshop and Microsoft Teams.
• Action: Once executed, Vidar scrapes an extensive range of data from browsers, including saved credentials, browsing history, autofill data, credit card numbers, and a wide array of cryptocurrency wallets.
• Evidence: The intel shows multiple “Vidar Malware Logs” dated November 5, 2025, which contain confirmed, cleartext credentials for:
  • https://www.cardea.nhs.uk/Cardea/
  • https://www.cardea.nhs.uk/
  • https://access.login.nhs.uk/
  • https://beta.jobs.nhs.uk/
  • https://www.jobs.nhs.uk/

X-FILES Stealer

• TTPs: X-FILES is a more advanced and emerging infostealer, first observed in 2021. It is also delivered via phishing domains, often hosted on Russian IPs, and has been seen exploiting vulnerabilities like Follina.
• Key TTP (MFA Bypass): X-FILES presents a significantly higher risk than traditional stealers. It is specifically designed to steal not just passwords, but also browser cookies and session tokens. It can target desktop authenticator applications to intercept one-time passwords (OTPs) and can recover tokens for major corporate accounts, including Google.
• Critical Implication: This is a critical threat that bypasses standard security controls. Even if the SOC enforces mandatory MFA on all portals, an attacker who buys an X-FILES log can bypass MFA. By injecting the stolen, valid session cookie into their own browser, they can hijack the legitimate user’s authenticated session, granting them full access to the portal without needing to know the password or possess the MFA token.
• Evidence: The intel shows “X-FILES Malware Logs” from November 5, 2025, containing credentials for https://jobs.nhsbt.nhs.uk/. Any user compromised by this malware family must be considered a critical, active threat.

Victim Size (Incident 2)

• The “victim size” for this campaign is individual, not organizational, and the count is the total number of users infected by commodity infostealers.
• The intel provides a snapshot of this widespread compromise, revealing dozens of stolen credentials for at least 10 distinct NHS-affiliated portals, including:
  • access.login.nhs.uk (NHS National Login)
  • auth.learninghub.nhs.uk
  • www.jobs.nhs.uk (NHS Jobs Portal)
  • jobs.nhsbt.nhs.uk (NHS Blood and Transplant Jobs)
  • patients.uhcw.nhs.uk (University Hospitals Coventry Patient Portal)
  • patients.mkhospital.nhs.uk (Milton Keynes University Hospital Patient Portal)
  • settings.login.nhs.uk
  • www.oriel.nhs.uk
  • pharmacisteportfolio.hee.nhs.uk
  • erecruitment.nhsponline.nhs.uk
  • hqcas01.dhc.nhs.uk/owa (Outlook Web Access)
  • www.cardea.nhs.uk/
• The wide variety of usernames found in the logs—including personal emails (live.com, gmail.com, talktalk.net) alongside corporate emails (@nhsbt.nhs.uk)—confirms the root cause of this incident: the infection of unmanaged personal devices. Staff, patients, and job applicants are using their personal computers (which are infected with stealers) to access these portals, and their browsers’ “save password” feature is betraying their credentials.

Intelligence Synthesis

This section provides the overall assessment, linking the two incidents and detailing the compounding risk.

The Initial Access Broker Ecosystem:

The cybercrime landscape is highly specialized. Research details the critical role of Initial Access Brokers (IABs). These actors do not typically conduct attacks themselves; rather, they specialize in gaining and selling access to corporate networks. The Vidar/X-FILES logs (Incident 2) are the raw material for this IAB ecosystem. RaaS groups (like CL0P’s affiliates, though perhaps not CL0P core) and other threat actors are major customers of this IAB market. They purchase these logs from marketplaces like Exodus to get the foothold they need for their own campaigns.

Analysis of Competing Hypotheses:

When assessing a multi-vector attack, it is crucial to determine if the events are linked or coincidental.

• Hypothesis 1 (Directly Linked): The CL0P (TA505) group bought a Vidar/X-FILES log from Exodus Market, gained initial access to an NHS staff member’s account, and from that internal position, discovered and exploited the vulnerable Cleo MFT server. This is plausible.
• Hypothesis 2 (Unrelated but Simultaneous – Most Likely Scenario): The NHS is being targeted by two separate but simultaneous threat campaigns.
  1. Attack 1 (CL0P): TA505’s core TTP is now the mass exploitation of external-facing zero-day MFT vulnerabilities. It is more likely they breached the NHS’s Cleo server (along with 65 others) via internet-wide scanning and exploitation, a method that does not require a credentialed entry.
  2. Attack 2 (Infostealers): The Vidar/X-FILES logs (Incident 2) are “business-as-usual,” opportunistic infections. They are hitting the NHS at the same time because the NHS is a massive organization with millions of users (staff, patients, partners), making it a statistically large and unavoidable target for any widespread malspam campaign.

The Consequence:

Operationally, it is irrelevant whether the attacks are linked. The SOC must be prepared to fight both fires simultaneously.

The CL0P breach (Incident 1) is a C-level/legal data-breach crisis that will consume the organization’s strategic leadership.

The infostealer breach (Incident 2) is an immediate, ongoing, and critical security failure that provides the “fuel” for the next wave of attacks. The SOC must assume that other RaaS groups and IABs are actively buying the credentials from Exodus Market right now to exploit the confusion and resource drain caused by the CL0P leak. The TTP of the X-FILES stealer—MFA bypass via cookie theft—means that even accounts protected by MFA are at extreme risk of takeover. This is not a theoretical threat; it is an active, ongoing compromise.

Indicators of Compromise (IOCs)

This section provides actionable data for SOC, IR, and Threat Hunting teams.

Table 1: CL0P Campaign IOCs

• Description: IOCs related to the systemic, server-side data breach (Incident 1).
• Value: This table is crucial for the IRT to identify the breach vector (the Cleo servers), hunt for post-exploitation activity, and understand the attacker’s TTPs.

Table 2: Infostealer Malware IOCs

• Description: IOCs related to the commodity malware campaign (Incident 2).
• Value: This table provides the names of the malware and marketplaces, and their TTPs, allowing the SOC to configure EDR/AV detections and user-awareness campaigns.

Table 3: Compromised Endpoint IPs

• Description: IP addresses of infected “Bot” machines (from Incident 2) known to have exfiltrated nhs.uk credentials, as seen in the intel.
• Value: This provides the SOC with external IPs of compromised (likely personal/home) devices. This data can be used to block, hunt, or correlate with internal logs (e.g., VPN, OWA) to find active, malicious sessions.

Table 4: Compromised NHS Credentials and Assets

• Description: This is a high-priority, actionable list of known compromised user credentials and the specific NHS portals they access. This is sourced directly from the intel.
• Value: This is the SOC’s immediate containment and remediation to-do list. Every entry on this list represents a confirmed, active breach.