CL0P-Linked Hackers Breach Dozens of Organisations Through Oracle Software Flaw

Steven

CL0P-Linked Hackers Breach Dozens of Organisations Through Oracle Software Flaw

Summary

Google’s Threat Intelligence Group (GTIG) and Mandiant report that dozens of organisations were likely impacted by a coordinated exploitation of a zero-day in Oracle E-Business Suite (EBS). The campaign, active since at least July and escalating in September, used multiple flaws (including CVE-2025-61882, CVSS 9.8) stitched together to achieve remote code execution, data exfiltration and branded extortion emails. Oracle has released patches; investigations show overlaps with tooling previously seen in suspected FIN11 activity and the Cl0p extortion brand was used in the campaign.

Key Points

  • GTIG and Mandiant assess that dozens of organisations were affected by chained EBS vulnerabilities, exploited from July–October 2025.
  • Primary tracked zero-day is CVE-2025-61882 (CVSS 9.8); Oracle has since issued patches.
  • Attack chain combined SSRF, CRLF injection, authentication bypass and XSL template injection to gain RCE and set up reverse shells.
  • High-volume phishing/extortion emails began 29 September 2025, sent from hundreds of compromised third-party accounts.
  • Observed payloads include GOLDVEIN.JAVA (downloader) and a SAGEGIFT -> SAGELEAF -> SAGEWAVE chain delivering an encrypted ZIP with a next-stage payload.
  • Some post-exploitation tooling overlaps with malware tied to suspected FIN11 campaigns, though GTIG stops short of formal attribution beyond noting a Cl0p association.
  • No victims had been posted to Cl0p’s leak site at the time of reporting; historically actors often wait weeks before listing victims.
  • Indicators include activity from the EBS ‘applmgr’ account and Java-launched bash processes; defenders should hunt these signs and related logs.

Context and Relevance

This incident is part of a growing trend: large-scale, automated zero-day campaigns targeting widely used enterprise applications to maximise data theft efficiency and extortion impact. Public-facing apps that store or aggregate sensitive data are high-value targets because attackers can avoid lengthy lateral movement and instead pull data directly. Organisations running legacy or externally exposed EBS installations, and their third-party supply chains, are particularly at risk. The mix of exploitation techniques and novel Java-based loaders shows the actors invested in pre-attack research and tool development.

Why should I read this?

Short version: if you run Oracle EBS, or manage security for organisations that do, you need to know what’s going on — now. We read the long report so you don’t have to. Patch CVE-2025-61882, hunt for signs of applmgr compromise, check for Java-launched shells and unusual outbound C2 traffic, and rotate any credentials exposed on third-party systems. If you’re in SOC/IR, this spells immediate containment and forensic priorities. If you’re not directly responsible for EBS, it’s still worth flagging to whoever is — this campaign shows how quickly a zero-day can turn into mass extortion.

Source

Source: https://thehackernews.com/2025/10/cl0p-linked-hackers-breach-dozens-of.html