Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday that a zero-day exploit of a security flaw in Oracle’s E-Business Suite (EBS) software may have affected dozens of organizations since August 9, 2025.
“While we are still assessing the scope of this incident, we believe it impacted dozens of organizations,” John Hultquist, chief analyst at Google Cloud GTIG, said in a statement shared with Hacker News. “Some of the historic Cl0p data extortion campaigns had hundreds of victims. Unfortunately, these large-scale zero-day campaigns are becoming the norm in cybercrime.”
This activity has several characteristics associated with the Cl0p ransomware cluster and is assessed to have combined several different vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to infiltrate target networks and exfiltrate sensitive data. Google said it found evidence of further suspicious activity dating back to July 10, 2025, but it remains unclear how successful these efforts were. Oracle has since issued a patch to address this shortcoming.
Cl0p (also known as Graceful Spider), which has been active since 2020, is believed to be responsible for several large-scale zero-day exploits in Accellion legacy file transfer appliances (FTA), GoAnywhere MFT, Progress MOVEit MFT, and Cleo LexiCom over the years. Phishing email campaigns run by FIN11 attackers have served as a precursor to Cl0p ransomware deployments in the past, but Google said it has discovered indications that this file-encrypting malware is a different actor.
The latest wave of attacks began in earnest on September 29, 2025. At this time, threat actors launched a mass email campaign targeting corporate executives from hundreds of compromised third-party accounts belonging to unrelated organizations. The credentials for these accounts are said to have been purchased on underground forums, likely through the purchase of Infostealer malware logs.
In the email message, the attackers claimed to have compromised an Oracle EBS application and exfiltrated sensitive data, and demanded that an unspecified amount be paid as ransom in exchange for not divulging the stolen information. To date, no victims of this campaign have been listed on the Cl0p data breach site. This behavior is consistent with previous Cl0p attacks, where attackers waited several weeks before posting.
The attack itself leverages a combination of server-side request forgery (SSRF), carriage return line feed (CRLF) injection, authentication bypass, and XSL template injection to execute remote code and set up a reverse shell on the targeted Oracle EBS server.
Google announced that around August 2025, it observed an attacker exploiting a vulnerability in the /OA_HTML/SyncServlet component to remotely execute code and ultimately trigger an XSL payload via the template preview feature. It turns out that two different chains of Java payloads are embedded in the XSL payload.
GOLDVEIN.JAVA is a Java variant of the downloader known as GOLDVEIN, a PowerShell malware first detected in December 2024 in connection with exploitation campaigns for multiple Cleo software products, that can receive a second stage payload from a command and control (C2) server. A Base64-encoded loader called SAGEGIFT custom designed for Oracle WebLogic Server. Used to start SAGELEAF. SAGELEAF is an in-memory dropper used to install SAGEWAVE, a malicious Java servlet filter that allows the installation of encrypted ZIP archives containing unknown next-level malware. (However, the main payload has some overlap with the cli module present in the FIN11 backdoor known as GOLDTOMB.)
The attacker has also been observed running various reconnaissance commands from the EBS account ‘applmgr’ and running commands from a bash process launched from the Java process running GOLDVEIN.JAVA.
Interestingly, some of the artifacts observed in July 2025 as part of incident response efforts overlap with an exploit leaked on October 3, 2025 in a Telegram group named Scattered LAPSUS$ Hunters. However, Google said there was not enough evidence to suggest that its cybercrime team was involved in the campaign.
GTIG noted that the level of investment in this campaign suggests that the attackers responsible for the initial infiltration likely spent significant resources on pre-attack research.
The tech giant said it had not officially attributed this series of attacks to the threat groups it tracks, but noted that the use of the Cl0p brand was notable. However, this attacker is believed to be affiliated with Cl0p. We also noted that the post-exploit tool overlaps with malware used in previous suspected FIN11 campaigns (GOLDVEIN and GOLDTOMB), and that one of the compromised accounts used to send the recent extortion emails was previously used by FIN11.
“The pattern of exploiting zero-day vulnerabilities in widely used enterprise applications, followed weeks later by large-scale branded extortion campaigns, has historically been a hallmark of activity attributed to FIN11, and may have attractive strategic benefits for other threat actors as well,” the report said.
“Targeting public applications and appliances that store sensitive data can improve the efficiency of data theft operations by eliminating the need for threat actors to spend time and resources on lateral movement.”
Source link
