A hacking campaign targeting Oracle E-Business Suite customers may have begun as early as July, when hackers began chaining together vulnerabilities in the software, according to a report released Thursday by Google Threat Intelligence Group (GTIG).
The attackers, linked to the notorious Clop ransomware group, chained a series of flaws with a zero-day vulnerability to steal large amounts of data after gaining remote code execution without the need for authentication, researchers found.
The vulnerability, tracked as CVE-2025-61882, enables an unauthenticated attacker with network access to take over the Oracle Concurrent Processing part of Oracle E-Business Suite.
GTIG researchers said the campaign involved sophisticated, multistage malware that was fileless, enabling the attacks to avoid file-based detection systems. The sophistication of the campaign shows the hackers likely dedicated significant time and resources into planning the attacks.
“We’re still assessing the scope of the incident, but we believe it affected dozens of organizations,” John Hultquist, chief analyst at GTIG, said in a statement. “Some historic Clop data extortion campaigns have had hundreds of victims.”
Researchers traced data theft back to August, while the earliest signs of potential exploitation activity began July 10, Charles Carmakal, CTO of Mandiant Consulting, said in a LinkedIn post. This pre-dates a July patch that Oracle urged users to download.
Researchers at watchTowr Monday published a full analysis of the exploit chain, showing “five distinct bugs orchestrated together” to allow pre-authenticated remote code execution.
Oracle released an emergency patch Oct. 4 and urged users to immediately update their systems.
Researchers from Shadowserver on Tuesday released data showing 576 potentially vulnerable IP addresses based on the zero-day.
Researchers from Mandiant found some overlaps with a leaked exploit code posted on Oct. 3 by Scattered Lapsus$ Hunters, which is a group linked to numerous social engineering attacks against retailers and other companies. The group also claimed credit for the recent attack that disrupted production at Jaguar Land Rover.
However, researchers said they cannot currently assess whether the July activity involved that exploit or whether there is any direct connection between the early Oracle activity to ShinyHunters.
Hultquist said large scale exploitation of zero-days have increasingly become a regular feature in hacking campaigns.
Clop rose to international prominence in 2023 in connection with the mass exploitation of vulnerabilities in MOVEit file transfer software. The group was also linked to a hacking spree starting in late 2024 after exploiting flaws in Cleo file transfer software.
The current extortion campaign surfaced last week when executives at numerous companies that use Oracle E-Business Suite received extortion emails from hackers claiming to be from Clop.
