The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021.

Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest.

"In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network," the company's threat intelligence team said. "They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware."

FIN7 (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.