Google Mandiant and the Google Threat Intelligence Group (GTIG) have revealed that they are tracking new activity clusters that may be linked to a financially motivated threat actor known as CL0P.
Malicious Activities sends a terr email to executives from various organizations, claiming they have stolen sensitive data from the Oracle E-Business suite.
“This activity began before September 29, 2025, but Mandiant experts are still in the early stages of multiple investigations and have yet to demonstrate the group’s claims,” Genevieve Stark, head of cybercrime and information operations intelligence analysis at GTIG, told Hacker News.
Mandiant CTO Charles Carmakal described the ongoing activity as a “massive email campaign” launched from hundreds of compromised accounts. It suggests that at least one of these accounts was previously associated with an activity from FIN11, a subset within the TA505 group.
FIN11 per Mandiant will be engaged in ransomware and terror attacks until 2020. Previously, it was linked to the distribution of various malware families such as Flawedamyy, Friendspeak, and MixLabel.
“We have confirmed that the malicious email contains contact information and that the two specific contact addresses provided are also publicly available on the CL0P Data Leak Site (DLS),” Carmakal added. “This move strongly suggests that it is linked to CL0P and leverages current brand awareness of operations.”
That said, Google said it has no evidence in itself to confirm the suspicious relationship, despite the similarity of tactics observed in previous CL0P attacks. The company is also urging organizations to investigate the environment for evidence of threatening actor activity.
It is currently unclear how initial access will be obtained. However, according to Bloomberg, the attacker is believed to have compromised users’ emails, abused the default password reset function, citing information shared by Halikon to obtain valid Oracle E-Business Suite Portals for the Internet.
Hacker News will reach out to Oracle to further comment on the Frightening Tor campaign and update the story if there is a reply.
In recent years, the highly prolific CL0P group has been attributable to many waves of attacks exploiting Accellion FTA, SolarWinds Serv-U FTP, Fortra GoaNy Where MFT, and ongoing mobile transfer platforms, which have infringed thousands of organizations.
Source link
