Cl0p found exploiting Oracle EBS zero-day months before critical patch release
Google threat researchers have revealed that the Cl0p ransom gang, which is said to have compromised hundreds of companies in a zero-day spree targeting Oracle E Business Suite (EBS), likely began its exploit campaign back in July.
On Thursday, the Google Threat Research Group (GTIG) and intelligence arm Mandiant published new detailed research about the targeted attacks on Oracle EBS, labeling them a “widespread extortion campaign.”
First reported by Oracle on October 2nd, researchers say they began tracking the massive hacking operation on September 29th.
Google says Cl0p was able to successfully chain together multiple distinct vulnerabilities – including the zero-day (CVE-2025-61882) – and gain unauthenticated Remote Code Execution (RCE) to the cloud company’s Oracle E-Business Suite, allowing the gang to steal hoards of customer data.
In a crucial new detail, Google also noted that the campaign “utilizes sophisticated, multi-stage, fileless malware (GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE) to evade file-based detection.”
What’s more, researchers say they traced the initial exploitation activity back to August 9th, and even "as early as July 10, 2025, nearly 3 months prior to any public detections.”
John Hultquist, Chief Analyst, Google Threat Intelligence Group - Google Cloud says while GTIG researchers are still “assessing the scope of this incident, we believe it affected dozens of organizations.”
“Some historic CL0P data extortion campaigns have had hundreds of victims, Hultquist said, adding that “Unfortunately, large-scale zero-day campaigns like this are becoming a regular feature of cybercrime.”
The in-depth analysis gives specifics about the campaign, deconstructs the multi-stage Java implant framework used to compromise Oracle EBS, and examines the earlier exploitation activity, Google said, further providing security teams with actionable guidance and indicators of compromise (IOCs) to help defend their environments.
🚨 An actor using the CL0P brand is exploiting an Oracle E-Business Suite zero-day (CVE-2025-61882) in an extortion campaign.
undefined Mandiant (part of Google Cloud) (@Mandiant) October 9, 2025
Our latest blog post examines:
🔹 Campaign details
🔹 In-memory Java implant framework
🔹 Guidance and IOCs for defenders
👉 https://t.co/vakO2okge1 pic.twitter.com/r3JXRB77eF
Another interesting find Google noted was that the artifacts recovered by Mandiant investigators “had some overlap with an exploit leaked” in a Telegram channel manned by the Scattered LAPSUS$ Hunters ransomware group on October 3rd, just one day after Oracle went public.
Cl0p threatens its victims – pay or be published
Oracle, urging customers to patch all software versions immediately, released an emergency critical fix for the zero-day on October 4th, ironically coinciding with a Cl0p email blast sent out to victim companies, informing them they had been breached and laying out their demands.
Furthermore, Oracle's first emergency patch, released just days after the initial announcement, had failed, prompting a second critical patch on October 11th, leaving clients vulnerable for days.
The high-volume email extortion campaign was said to have been launched from "hundreds if not thousands of compromised third-party accounts “belonging to diverse, unrelated organizations, likely sourced from infostealer malware logs sold on underground forums.”
Google, which provides a copy of the ransom email, said that the threat actors offer proof of the hack on its dark leak site, presenting “legitimate file listings from victim EBS environments to multiple organizations with data dating back to mid-August 2025.”
“Dearest Executive,” the email reads. “We have recently breached your Oracle E-Business Suite application and copied a lot of documents.”
“All the private files and other information are now held on our systems. But don't worry. You can always save your data for payment, “ Cl0p goes on, urging the victim to “protect your business reputation” and pay the “claimed sum.”
The group then threatens to sell some of the victim’s alleged data grab on the dark web, with the rest to be published on its leak blog and on torrent trackers.
Oracle's E-Business Suite of applications allows clients to manage customers, suppliers, manufacturing, logistics, and other business processes.
“This level of investment suggests the threat actor(s) responsible for the initial intrusion likely dedicated significant resources to pre-attack research,” Google said in a statement sent to Cybernews.
The Cl0p gang is known for going big and playing the long game when it comes to extortion.
Operating since at least 2020, the group’s past campaigns – exploiting file transfer programs MOVEit, Fortra GoAnywhere, and Cleo, as the most recent – have compromised hundreds of major organizations over the years, often taunting its victims and raking in hundreds of millions of dollars.
