A recent report by Google Threat Intelligence Group (GTIG) and Mandiant reveals that numerous organizations have fallen victim to a zero-day security flaw in Oracle’s E-Business Suite (EBS) software since August 9, 2025.

Chief analyst John Hultquist expressed concerns about the incident’s extent, indicating that it has impacted multiple organizations. This sophisticated attack, reminiscent of Cl0p data extortion campaigns, underscores the growing trend of large-scale zero-day cybercrime activities.

The attackers exploited a zero-day vulnerability, CVE-2025-61882, to infiltrate networks and steal sensitive data. Although Oracle has released patches to address the issue, the attackers had already leveraged multiple vulnerabilities to breach their targets successfully.

The Cl0p ransomware group, also known as Graceful Spider, has a history of exploiting zero-day vulnerabilities in various software applications. Phishing campaigns orchestrated by FIN11 actors have often paved the way for Cl0p ransomware attacks. However, recent evidence suggests a separate entity is behind the current wave of attacks.

The attackers initiated a massive email campaign targeting executives with threats of data leakage unless a ransom is paid. The phishing emails, sent from compromised accounts, demanded payment in exchange for not disclosing stolen information. Despite the threats, none of the victims have appeared on the Cl0p data leak site so far.

The attackers employed various techniques, including Server-Side Request Forgery (SSRF) and authentication bypass, to gain remote code execution on Oracle EBS servers. By leveraging vulnerabilities in components like “/OA_HTML/SyncServlet,” they managed to execute malicious payloads and establish control over the servers.

• The attackers utilized Java payloads such as GOLDVEIN.JAVA and SAGEGIFT to execute further stages of the attack, culminating in the installation of a malicious Java servlet filter known as SAGEWAVE.
• Reconnaissance commands were executed from the “applmgr” account, indicating a systematic approach to data exfiltration.

Interestingly, artifacts discovered during incident response efforts overlapped with exploits shared in a Telegram group, raising suspicions of a broader cybercrime network’s involvement. However, concrete evidence linking the incidents is still lacking.

The sophisticated nature of the attack indicates a well-funded and highly organized threat actor behind the campaign. While the attack has not been formally attributed to a specific group, connections to the Cl0p ransomware brand and previous FIN11 activities are evident.

The use of zero-day vulnerabilities in widely used enterprise applications, coupled with large-scale extortion campaigns, aligns with tactics historically associated with FIN11. This strategic approach appeals to threat actors seeking efficient data theft operations without the need for extensive lateral movement.