Google Cloud Blog
Follow
Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign
Google Threat Intelligence Group and Mandiant are tracking a large extortion campaign by an actor claiming affiliation with the CL0P brand. This campaign, which began on September 29, 2025, involves sending high volumes of emails to executives alleging data theft from their Oracle E-Business Suite (EBS) environments. Oracle has issued emergency patches and advised customers to apply critical updates, as the threat actors may have exploited vulnerabilities patched in July 2025. Analysis suggests the campaign followed months of intrusion, with exploitation potentially dating back to August 9, 2025, using a zero-day vulnerability. The attackers exfiltrated significant data from some organizations. The CL0P data leak site, established in 2020, has been used for extortion operations, including those involving ransomware and mass exploitation of zero-day vulnerabilities in managed file transfer systems. This latest campaign against Oracle EBS continues their successful operational model of mass exploitation followed by extortion. The threat actor used compromised third-party accounts for their email campaign, sourcing credentials from underground forums. Extortion emails included specific contact addresses linked to the CL0P data leak site and provided legitimate file listings as proof of data exfiltration. While demands have not been specified, they are typical for modern extortion, with details provided after victim contact. No victims from this campaign have yet appeared on the CL0P data leak site, consistent with past practices of waiting several weeks. Exploitation activity targeting Oracle EBS servers was identified prior to the extortion campaign, with potential zero-day exploitation occurring as early as July 2025. The technical analysis details a multi-stage Java implant framework and earlier exploitation activity, providing guidance and indicators of compromise for defenders.