American Airlines has confirmed to Cybernews that one of its regional carriers has fallen victim to Cl0p ransomware – all part of the gang’s most recent extortion campaign targeting a zero-day vulnerability found in Oracle’s E Business Suite (EBS) platform.
Cl0p, which is believed to have compromised hundreds of companies using the now patched Oracle EBS vulnerability, posted American Airlines on its dark leak site late Thursday.
When Cybernews reached out to American Airlines for a comment, an AA spokesperson told our news team, “This pertains to Envoy Air, which is a subsidiary of American Airlines Group.”
Envoy Air is one of American Airlines' largest regional carriers, with hubs in nearly a dozen major US cities, including Boston, Chicago, Los Angeles, Miami, Phoenix, New York City, and its home base in Dallas-Fort Worth.
To note, Cl0p did not specifically name the regional carrier as the apparent victim, only listing the American Airlines’ website as its victim.
“AA.COM - PUBLISHED VIA TORRENT, MAGNET LINK – CLICK HERE,” the group wrote.
Posted at the very top of its leak blog, the group warns, “All companies that have received information from us about the situation, please contact us!!! This will prevent publication.”
A link to the airline’s alleged cache of published data was listed alongside two other victims: the prestigious Harvard University (reported earlier this week) and the University of the Witwatersrand, Johannesburg, ranked as one of the top three universities in South Africa.
Envoy customer data appears unaffected
Formed in 1988, Envoy provides regional flight service to American Airlines under the American Eagle brand, as well as livery and ground-handling services for many American flights, according to its website.
With more than 20,000 employees, the Texas-based airline operates about 160 aircraft on 875 daily flights to over 160 destinations, it said.
According to the regional carrier, one of Envoy’s IT systems was impacted by the Cl0p exploit campaign, although that system was not named.
“We are aware of the incident involving Envoy’s Oracle E-Business Suite application,” the commuter airline said in a statement sent to Cybernews.
“The impacted system is specific to Envoy and contained Envoy business information. The incident had no impact to our flight or airport ground handling operations,” the Envoy spokesperson relayed.
More importantly, the aviation company confirms that after “conducting a thorough review of the data at issue, no sensitive or customer data was affected.”
The company does admit “a limited amount of business information and commercial contact details may have been compromised.” It's unclear if that data includes any of the carrier's thousands of employees.
Envoy said once it became aware of the breach, it “immediately” began an investigation, and contacted law enforcement.
Cl0p compromises hundreds of victims
Google threat researchers have revealed that the Cl0p ransom gang, which is said to have compromised hundreds of companies in the zero-day spree targeting Oracle E Business Suite (EBS), likely began its exploit campaign back in July.
Oracle's E Business Suite of applications allows clients to manage customers, suppliers, manufacturing, logistics, and other business processes.
The Google researchers say Cl0p was able to successfully chain together multiple distinct vulnerabilities – including the zero-day (CVE-2025-61882) – and gain unauthenticated Remote Code Execution (RCE) to the cloud company’s Oracle E-Business Suite, allowing the gang to steal hoards of customer data.
Oracle, urging customers to patch all software versions immediately, released an emergency critical fix for the zero-day on October 4th.
Ironically, the release happened to coincide with a Cl0p email blast sent out to victim companies, informing them they had been breached and laying out their demands.
The high-volume email extortion campaign was said to have been launched from "hundreds if not thousands of compromised third-party accounts “belonging to diverse, unrelated organizations, likely sourced from infostealer malware logs sold on underground forums.”
The Cl0p gang is known for going big and playing the long game when it comes to extortion.
Operating since at least 2020, the group’s past campaigns – exploiting file transfer programs MOVEit, Fortra GoAnywhere, and Cleo, as the most recent – have compromised hundreds of major organizations over the years, often taunting its victims and raking in hundreds of millions of dollars.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked