Google Says Oracle EBS Extortion Campaign Possibly Targeted Thousands, Could Date Back To July

“In some cases, the threat actor successfully exfiltrated a significant amount of data from impacted organizations,” according to a report by the Google Threat Intelligence Group and Google subsidiary Mandiant.

The Google Threat Intelligence Group and Google subsidiary Mandiant found that an extortion campaign targeting Oracle E-Business Suite environments has possibly gone on since July 10, targeting “hundreds, if not thousands, of compromised third-party accounts.”

The threat actor used a multi-stage Java implant framework to compromise EBS, according to a report issued by the Google Threat Intelligence Group and Google subsidiary Mandiant on Thursday. “In some cases, the threat actor successfully exfiltrated a significant amount of data from impacted organizations.”

Austin, Texas-based database and cloud products vendor Oracle disclosed earlier this month that the EBS data extortion campaign is connected to vulnerabilities addressed by the company in July. Oracle recommended customers apply emergency patches.

“Oracle EBS servers updated through the patch released on Oct. 4 are likely no longer vulnerable to known exploitation chains,” Google said in its report, although it noted that it has seen multiple different exploit chains involving Oracle EBS whereas the Oracle patch from Oct. 4 specifically referenced a leaked exploit chain targeting the UiServlet component.

[RELATED: Oracle: Unpatched Vulnerabilities Behind E-Business Data Extortion Attacks]

Oracle EBS Exploit

CRN has reached out to Oracle for comment.

Google Threat Intelligence Group Chief Analyst John Hultquist said that his organization is “still assessing the scope of this incident, but we believe it affected dozens of organizations,” in an email to CRN.

“Some historic CL0P data extortion campaigns have had hundreds of victims,” he said. “Unfortunately large scale zero-day campaigns like this are becoming a regular feature of cybercrime.”

In the Google report, the vendor recommends Oracle EBS users apply emergency patches immediately, hunt for malicious templates in the database, restrict outbound internet access, monitor and analyze network logs, and leverage memory forensics. The vendor also shared a list of indicators of compromise (IoC).

Google Tracking Since September

Google started tracking the large-scale extortion campaign by a threat actor that claimed affiliation with an extortion group using Cl0p, also spelled Clop and also known as CL0P^_- LEAKS, on Sept. 29. Cl0p ransomware has been attributed to a threat actor group called Fin11.

The threat actor sent a large number of emails to executives at multiple organizations saying sensitive data was stolen from EBS environments.

Artifacts found in Mandiant’s investigation of the campaign overlap with an exploit leaked in a Telegram group named “SCATTERED LAPSUS$ HUNTERS” on Oct. 3, but Google didn’t have enough evidence to say ShinyHunters was involved in this Oracle campaign.

A group apparently associated with Scattered Lapsus$ Hunters–allegedly made up of members of other threat actors including ShinyHunters, Scattered Spider and Lapsus$– has claimedresponsibility for a ransom campaign involving third-party Salesforce application Drift by the company Salesloft, a campaign that has hit multiple companies in the cybersecurity space including Google, Zscaler and Cloudflare.

Google’s research shows that suspicious activity started on July 10, with exploitation of what may be the CVE-2025-61882 zero-day EBS vulnerability as early as Aug. 9.

In the threat actor’s email campaign that targeted upwards of thousands of accounts, the group used the addresses [email protected] and [email protected] associated with Cl0p since at least May 2025, according to the Google report. The actor has also showed file listings from attacked accounts dating back to the middle of August.

Cl0p was previously affiliated with a series of major data theft attacks, including widely felt attacks targeting MOVEit customers in 2023.