Google Threat Intelligence and Mandiant analyzed the Oracle E-Business Suite extortion campaign, revealing the use of malware. Attackers exploited July-patched EBS flaws and likely a zero-day (CVE-2025-61882), sending extortion emails to company executives.
In early October, Google Mandiant and Google Threat Intelligence Group (GTIG) researchers tracked a suspected Cl0p ransomware group’s activity, where threat actors were attempting to extort executives with claims of stealing Oracle E-Business Suite data.
Attackers likely hacked user emails and exploited Oracle E-Business Suite’s default password reset to steal valid credentials, reported cybersecurity firm Halycon.
An email in the extortion notes ties to a Cl0p affiliate and includes Cl0p site contacts, but Google lacks the proof to confirm the attackers’ claims.
Mandiant’s CTO Charles Carmakal said attackers use hundreds of hacked accounts in a mass extortion campaign. At least one account links to the financially motivated hacker group FIN11.
Oracle released an emergency patch to address a critical vulnerability, tracked as CVE-2025-61882 (CVSS 9.8) in its E-Business Suite. The flaw was exploited by the Cl0p ransomware group in data theft attacks. Unauthenticated remote attackers can exploit the flaw to take control of the Oracle Concurrent Processing component.
CVE-2025-61882 affects Oracle E-Business Suite 12.2.3–12.2.14 (BI Publisher Integration), experts warn it is easily exploitable via HTTP.
CrowdStrike researchers attributed with moderate confidence the exploitation of Oracle E-Business Suite flaw CVE-2025-61882 (CVSS 9.8) to the Cl0p group, also known as Graceful Spider.
This week, Oracle released an emergency patch to address this critical flaw in its E-Business Suite.
CrowdStrike warns that the disclosure of a POC on October 3 and Oracle’s CVE-2025-61882 patch will almost certainly spur threat actors, especially those familiar with Oracle EBS, to develop weaponized POCs and target Internet-exposed EBS instances.
On September 29, 2025 the Cl0p group emailed organizations claiming Oracle EBS data theft. On October 3, a Telegram channel tied to Scattered Spider, Slippy Spider (Lapsus$) and ShinyHunters posted a purported Oracle EBS exploit and criticized the Cl0p group. Origin and reuse are unclear, however Oracle published the POC as an IOC and it aligns with observed servlet-based exploitation.
Crowdstrike observed activity starting with an HTTP POST to /OA_HTML/SyncServlet to bypass authentication (sometimes abusing an admin EBS account). Attackers then target Oracle’s XML Publisher Template Manager, using /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload a malicious XSLT template whose preview executes commands. Template names in xdo_templates_vl match URL references.
Successful execution opens an outbound TLS (port 443) connection to attacker infrastructure, used to load web shells for command execution and persistence.
In some cases, attackers use two files: FileUtils.java, which downloads the second file, and Log4jConfigQpgsubFilter.java, which acts as the backdoor. Together, they install a web shell that is triggered when someone visits a public help URL (/OA_HTML/help/...). The web shell runs code directly in memory, letting the attacker execute commands without writing files to disk.
CrowdStrike found that exploitation of CVE-2025-61882 began on August 9, with signs of earlier activity on July 10, just before Oracle’s July patches. GTIG and Mandiant suggest this may have been an initial exploit attempt. Google’s analysis shows attackers used a malicious template in vulnerable Oracle EBS databases, which stored a payload activated in the final stage of the attack chain.
GTIG found two Java payload chains embedded in XSL payloads used in the Oracle EBS campaign.
(Courtesy: Security affairs)
