tl;dr
Google and Mandiant uncover a massive ransomware attack linked to CL0P, exploiting a zero-day vulnerability in Oracle's EBS to steal sensitive data and demand ransoms.
**Google and Mandiant Uncover Large-Scale Oracle E-Business Suite Data Theft by CL0P-Linked Group**
In a alarming revelation, Google’s Threat Intelligence Group (GTIG) and cybersecurity firm Mandiant have exposed a sophisticated extortion campaign targeting Oracle’s E-Business Suite (EBS), allegedly orchestrated by actors tied to the notorious CL0P ransomware group. The attack, which began as early as July 2025, involved the exploitation of a zero-day vulnerability (CVE-2025-61882) and resulted in the theft of significant volumes of customer data, with perpetrators threatening to leak sensitive information unless ransoms were paid.
### **The Extortion Scheme and Zero-Day Exploitation**
The campaign, which escalated in late September 2025, involved mass email attacks sent to executives across multiple organizations. These emails, originating from compromised third-party accounts, claimed breaches of their Oracle EBS environments and demanded ransom payments to prevent the public release of stolen data. Notably, the emails used addresses like *support@pubstorm.com* and *support@pubstorm.net*, which have previously been linked to CL0P’s data leak platform.
Google and Mandiant traced the exploitation back to July 2025, linking it to the zero-day vulnerability in Oracle EBS. Attackers leveraged exploit chains targeting critical components such as *UiServlet* and *SyncServlet* to achieve remote code execution and deploy multi-stage Java implants. This allowed them to exfiltrate data and establish persistent access to victim systems.
### **Oracle’s Response and the Role of FIN11**
Oracle confirmed that the specific vulnerability had been patched in July 2025 but issued emergency updates on October 4 to address additional flaws. The company urged customers to apply the latest critical patches to mitigate risks.
The CL0P group, historically associated with the FIN11 cybercrime collective, has a history of exploiting zero-day vulnerabilities in systems like MOVEit, GoAnywhere, and Accellion FTA. Their modus operandi typically involves mass exploitation, data theft, and extortion. While GTIG has not definitively tied this campaign to a specific group, the attack patterns and tools used bear strong similarities to FIN11’s tactics.
### **Technical Breakdown of the Attack**
The attackers employed advanced techniques, including server-side request forgery (SSRF), authentication bypasses, and XSL template injections, to compromise Oracle EBS servers. By August 2025, they had begun using *SyncServlet* to execute malicious templates containing Base64-encoded XSL payloads, which loaded Java-based malware into memory.
Key implants identified include *GOLDVEIN.JAVA*, a downloader for secondary payloads, and *SAGE*, a multi-layered chain that installed persistent Java servlet filters for ongoing exploitation. Attackers also used the EBS account *applmgr* to gather system details and deploy additional malware, executing commands like *ip addr* and *netstat -an* to map networks.
Command-and-control (C2) servers, such as *200.107.207.26* and *104.194.11.200*, were linked to the *GOLDVEIN.JAVA* payload, while compromised accounts previously used in FIN11-related attacks were flagged as potential vectors.
### **Recommendations for Affected Organizations**
Google and Mandiant have advised organizations to:
- Monitor and block external traffic to EBS servers, particularly to endpoints like */OA_HTML/SyncServlet* and */OA_HTML/configurator/UiServlet*.
- Inspect database tables such as *XDO_TEMPLATES_B* and *XDO_LOBS* for suspicious entries (e.g., names starting with “TMP” or “DEF”).
- Analyze memory dumps for in-memory Java payloads and review logs for unusual activity.
### **A Warnings for the Future**
The report underscores the growing threat of zero-day exploits and the persistent efforts of groups like CL0P and FIN11 to exploit vulnerabilities for financial gain. Google warned that such actors will likely continue investing in zero-day research, emphasizing the importance of proactive security measures and timely patching.
As the cybersecurity landscape evolves, organizations must remain vigilant, adopting robust detection strategies and staying informed about emerging threats to safeguard their critical systems.