Corporate executives are being targeted in an email-based extortion campaign by a threat actor claiming affiliation with the notorious Clop ransomware gang, according to security researchers from Google Threat Intelligence Group and Kroll.
The hacker claims to have data stolen from breached Oracle E-Business Suite applications and has been demanding payment from various corporate executives, according to a LinkedIn post from Austin Larsen, principal threat analyst at GTIG.
While researchers have not been able to substantiate the claims of a data breach, they have confirmed important links to a financially motivated threat group tracked under the name FIN11, which has prior associations with Clop.
“We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts, and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11,” Charles Carmakal, CTO Mandiant Consulting, the incident response unit of GTIG, told Cybersecurity Dive via email.
The extortion note from the hackers includes two contact emails where the targeted executives can reply to the threat demands, and researchers have confirmed that those specific contact addresses are publicly listed on the Clop data leak site, according to Carmakal. The extortion demands began earlier this week, on Monday.
Clop is most widely known for the mass exploitation of vulnerabilities in MOVEit file transfer in 2023. The group more recently was involved in exploitation of flaws in Cleo file transfer software in late 2024.
The most recent update to the Clop site is from July 2025, but the most significant recent updates were in February and March, when Clop posted the names of alleged victims of the Cleo-linked attacks, Genevieve Stark, head of cybercrime and information operations intelligence analysis at GTIG, told Cybersecurity Dive.
A series of major companies previously confirmed data breaches linked to the Cleo vulnerability, including rental car provider Hertz and breakfast cereal company WK Kellogg.
Oracle has not responded to a request for comment.
