What Happened
The Clop data extortion group is actively exploiting a zero-day vulnerability in Gladinet CentreStack, an enterprise file server platform used by organizations for self-hosted cloud file sync and sharing. BleepingComputer and SC Media reported the campaign on April 1, 2026. No CVE number for the actively exploited flaw has been published as of this writing. Gladinet has released emergency patches and confirms exploitation in the wild.
Clop’s approach mirrors its campaigns against GoAnywhere MFT in 2023 and MOVEit Transfer in 2023 and 2024: identify a widely deployed file transfer platform, exploit a critical vulnerability before organizations patch, exfiltrate sensitive files from multiple victims in parallel, and issue extortion demands while threatening to publish stolen data on its leak site. Researchers scanning public-facing infrastructure identified more than 200 internet-exposed CentreStack instances as potential targets.
CentreStack is deployed in enterprises and government organizations as a self-hosted alternative to SharePoint or commercial cloud storage platforms. It provides file sync, remote access, and collaborative sharing for distributed workforces. Its deployment in sensitive document management workflows makes it an attractive target for extortion-focused groups.
Why This Matters for Canadian Organizations
Clop’s previous campaigns against file transfer platforms affected Canadian organizations. The MOVEit campaign reached federal government contractors, healthcare providers, and financial services firms operating in Canada. The GoAnywhere campaign similarly touched Canadian entities. Clop’s pattern of simultaneous mass exploitation means organizations do not receive advance warning before data leaves their environment.
Canadian enterprises running Gladinet CentreStack for document management or remote file access face direct risk. A confirmed breach triggers reporting obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations operating in Quebec are also subject to Law 25. Healthcare entities operating under provincial health privacy legislation face additional obligations where patient data is involved.
Organizations without CentreStack deployments should still assess the situation. Clop’s move toward zero-day exploitation of enterprise file platforms signals the group is investing in pre-patch access, which shortens defenders’ response window to near zero.
What to Do
Apply the Gladinet emergency security patch immediately. If patching within 24 hours is not achievable, take the CentreStack web interface offline or restrict access to internal IP ranges through firewall rules until the patch deploys. Review CentreStack access and file transfer logs from the past two weeks for anomalous activity, including large downloads, unusual access times, or unknown IP addresses. Confirm whether the CentreStack server is accessible from the public internet and eliminate exposure if present. If data exfiltration is suspected, engage incident response resources and assess breach notification obligations under PIPEDA. Monitor Clop’s data leak site for any Canadian organizational names appearing in new listings. Report confirmed indicators of compromise to the CCCS at contact@cyber.gc.ca.
Source: BleepingComputer
