CL0P hackers exploited Oracle EBS zero-day for data extortion

Google Threat Intelligence Group and Mandiant have reported that actors affiliated with the CL0P extortion brand exploited a zero-day vulnerability in Oracle E-Business Suite to conduct an extensive data theft and extortion campaign.

The research indicates that the initial compromise likely started as early as July 10, 2025, almost three months before the campaign was widely detected. The attackers chained together multiple vulnerabilities, potentially up to five distinct flaws including a zero-day believed to be CVE-2025-61882, to achieve unauthenticated remote code execution against Oracle E-Business Suite (EBS) customers.

Campaign details

According to the research, from September 29, 2025, a threat actor linked to CL0P began sending a large volume of emails to executives at numerous organisations. These emails claimed that the actor had breached the recipient's Oracle EBS environment and allegedly exfiltrated sensitive documents. The initial access involved the exploitation of previously unknown vulnerabilities that were later addressed in patches released in July and October 2025.

Google Threat Intelligence Group (GTIG) noted that, "the threat actor(s) successfully chained together multiple distinct vulnerabilities (including a zero-day likely identified as CVE-2025-61882) to gain unauthenticated Remote Code Execution (RCE) and steal mass amounts of customer data."

Further analysis revealed that the actor relied on sophisticated, multi-stage, fileless malware, including GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE, to circumvent traditional file-based detection methods. This use of fileless preattack tooling demonstrates a considerable level of planning and resource commitment.

"We're still assessing the scope of this incident, but we believe it affected dozens of organizations. Some historic CL0P data extortion campaigns have had hundreds of victims. Unfortunately large scale zero-day campaigns like this are becoming a regular feature of cybercrime."

This reflection from John Hultquist, Chief Analyst for Google Threat Intelligence Group - Google Cloud, underscores the increasing prevalence of large-scale exploitation operations targeting widely deployed platforms.

Attack methods

Mandiant and GTIG's investigation found that the threat actor's attack chain typically began with a POST request to the /OA_HTML/SyncServlet endpoint, leveraging the XDO Template Manager to create malicious templates within the Oracle EBS database. These templates contained payloads encoded in XML Stylesheet Language (XSL), which would then be executed via subsequent requests to the system's template preview functionality, granting attackers control over the targeted servers.

The fileless malware deployed in these attacks included several purpose-built Java payloads. GOLDVEIN.JAVA was identified as a downloader that beacons to attacker infrastructure to retrieve additional code. The SAGEGIFT loader placed subsequent SAGELEAF and SAGEWAVE implants in memory, with SAGEWAVE enabling persistent access and the deployment of further modules.

The campaign was characterised by the use of compromised email accounts to send extortion demands. Email addresses associated with CL0P's data leak site were cited in the fraudulently sent messages. In an apparent attempt to substantiate their claims, the threat actors attached legitimate document listings from victim Oracle EBS systems, with some evidence of data being exfiltrated from July onwards. Payment methods and demands were not detailed in the initial emails, conforming to tactics seen in past extortion operations where negotiations commence only after a victim initiates contact.

Previous campaigns and attribution

CL0P's data leak site, active since 2020, has been used for previous extortion operations involving ransomware, but in recent years, the bulk of activity has shifted to data theft campaigns exploiting zero-day vulnerabilities in managed file transfer systems. Google and Mandiant's analysis found that while many of these incidents have been linked to the group known as FIN11, there is also evidence that multiple clusters with varying tactics and partnerships may be involved, complicating attribution.

GTIG's report emphasises that attribution is still ongoing, noting significant overlaps in attacker infrastructure, tools, and strategies with prior FIN11 campaigns that employed similar Java-based loaders and backdoors during recent exploitation campaigns.

Implications and recommendations

The exploitation model observed in the current Oracle EBS campaign mirrors previous large-scale operations, where threat actors leverage unpatched, public-facing applications to efficiently exfiltrate data from a large number of organisations, often delaying extortion attempts to maximise their advantage before detection. This approach, according to GTIG and Mandiant, is likely to remain attractive to attackers in the near term.

GTIG and Mandiant recommend that organisations apply the Oracle emergency patches released on October 4, 2025, as a priority. They further advise admins to review the XDO_TEMPLATES_B and XDO_LOBS database tables for malicious templates, restrict non-essential outbound internet connectivity from EBS servers, and monitor for anomalous requests and indicators of compromise in network logs. Specific attention should be paid to templates with codes beginning with "TMP" or "DEF", suspicious traffic to targeted endpoints, and Java process memory-where the fileless implants are most likely to be discovered.

The indicators of compromise outlined in Google and Mandiant's report include IP addresses used in exploitation, endpoint paths targeted during the campaign, and the email addresses referenced in extortion communication. Forensic and detection rules suitable for identifying the Java-based malware are also provided for defenders.