Pierluigi Paganini
October 13, 2025
Google Threat Intelligence and Mandiant analyzed the Oracle E-Business Suite extortion campaign, revealing the use of malware. Attackers exploited July-patched EBS flaws and likely a zero-day (CVE-2025-61882), sending extortion emails to company executives.
In early October, Google Mandiant and Google Threat Intelligence Group (GTIG) researchers tracked a suspected Cl0p ransomware group’s activity, where threat actors were attempting to extort executives with claims of stealing Oracle E-Business Suite data.
Attackers likely hacked user emails and exploited Oracle E-Business Suite’s default password reset to steal valid credentials, reported cybersecurity firm Halycon.
An email in the extortion notes ties to a Cl0p affiliate and includes Cl0p site contacts, but Google lacks the proof to confirm the attackers’ claims.
Mandiant’s CTO Charles Carmakal said attackers use hundreds of hacked accounts in a mass extortion campaign. At least one account links to the financially motivated hacker group FIN11.
Oracle released an emergency patch to address a critical vulnerability, tracked as CVE-2025-61882 (CVSS 9.8) in its E-Business Suite. The flaw was exploited by the Cl0p ransomware group in data theft attacks. Unauthenticated remote attackers can exploit the flaw to take control of the Oracle Concurrent Processing component.
CVE-2025-61882 affects Oracle E-Business Suite 12.2.3–12.2.14 (BI Publisher Integration), experts warn it is easily exploitable via HTTP.
CrowdStrike researchers attributed with moderate confidence the exploitation of Oracle E-Business Suite flaw CVE-2025-61882 (CVSS 9.8) to the Cl0p group, also known as Graceful Spider.
This week, Oracle released an emergency patch to address this critical flaw in its E-Business Suite.
CrowdStrike warns that the disclosure of a POC on October 3 and Oracle’s CVE-2025-61882 patch will almost certainly spur threat actors, especially those familiar with Oracle EBS, to develop weaponized POCs and target Internet-exposed EBS instances.
On September 29, 2025 the Cl0p group emailed organizations claiming Oracle EBS data theft. On October 3, a Telegram channel tied to Scattered Spider, Slippy Spider (Lapsus$) and ShinyHunters posted a purported Oracle EBS exploit and criticized the Cl0p group. Origin and reuse are unclear, however Oracle published the POC as an IOC and it aligns with observed servlet-based exploitation.
Crowdstrike observed activity starting with an HTTP POST to /OA_HTML/SyncServlet to bypass authentication (sometimes abusing an admin EBS account). Attackers then target Oracle’s XML Publisher Template Manager, using /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload a malicious XSLT template whose preview executes commands. Template names in xdo_templates_vl match URL references.
Successful execution opens an outbound TLS (port 443) connection to attacker infrastructure, used to load web shells for command execution and persistence.
In some cases, attackers use two files: FileUtils.java, which downloads the second file, and Log4jConfigQpgsubFilter.java, which acts as the backdoor. Together, they install a web shell that is triggered when someone visits a public help URL (/OA_HTML/help/...). The web shell runs code directly in memory, letting the attacker execute commands without writing files to disk.
CrowdStrike found that exploitation of CVE-2025-61882 began on August 9, with signs of earlier activity on July 10, just before Oracle’s July patches. GTIG and Mandiant suggest this may have been an initial exploit attempt. Google’s analysis shows attackers used a malicious template in vulnerable Oracle EBS databases, which stored a payload activated in the final stage of the attack chain.
GTIG found two Java payload chains embedded in XSL payloads used in the Oracle EBS campaign:
X-ORACLE-DMS-ECID header and use filtered HTTP paths (e.g. /help/state/.../iHelp/).Post-exploitation, threat actors executed reconnaissance from the applmgr EBS account (e.g., ifconfig, netstat, ps -aux, cat /etc/fstab, arp -a) and spawned interactive bash -i shells (eg. reverse shell to 200.107.207.26:53). Mandiant recommends hunting child processes of any bash -i launched by Java running as applmgr.
GTIG has not attributed the Oracle EBS attacks to any group, but overlaps suggest ties to FIN11 and the CL0P extortion brand. The campaign reused CL0P contact emails and showed technical links to GOLDVEIN.JAVA and GOLDTOMB malware used by FIN11/UNC5936 during Cleo MFT exploits in 2024. One compromised account had also been used by FIN11, though CL0P’s tools aren’t exclusive to that group.
“This overall approach—in which threat actors have leveraged zero-day vulnerabilities, limited their network footprint, and delayed extortion notifications—almost certainly increases the overall impact, given that threat actors may be able to exfiltrate data from numerous organizations without alerting defenders to their presence. CL0P-affiliated actors almost certainly perceive these mass exploitation campaigns as successful, given that they’ve employed this approach since at least late 2020.” concludes Google. “We therefore anticipate that they will continue to dedicate resources to acquiring zero-day exploits for similar applications for at least the near-term. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Oracle E-Business Suite)
