Cybersecurity experts are on high alert as a group claiming ties to the infamous Cl0p ransomware gang is bombarding companies with emails that threaten to expose data allegedly stolen from Oracle’s E-Business Suite- a widely used system for managing core business functions like finance and HR.
The activity, which started on or before September 29, 2025, has triggered urgent investigations by security teams at Mandiant and the Google Threat Intelligence Group (GTIG). Targeted organisations, many of which use the Oracle E-Business Suite, are under pressure to respond to the claims.
Connecting the Dots
According to Charles Carmakal, Chief Technology Officer at Mandiant (a Google Cloud company), who has shared his insights with Hackread.com, the attack involves a massive, “high-volume” email campaign sent from hundreds of previously hacked third-party email accounts.
Mandiant’s initial checks suggest that at least one of these accounts was previously used by FIN11, a well-established criminal group known for deploying ransomware and engaging in blackmail.
It seems that this group is trying to leverage the strong reputation of Cl0p, an infamous financially motivated cybercrime group known for highly successful, large-scale attacks, such as the 2023 MOVEit campaign that affected over 2,300 organisations.
Investigations conducted so far reveal a strong link- two specific contact addresses provided in the extortion emails match those publicly listed on the Cl0p data leak site. Carmakal noted that this suggests an association with Cl0p, or that the actors are simply using the name for greater leverage.
“The contact addresses provided in the extortion notes ([email protected] and [email protected]) are the same ones publicly listed on the official CLOP data leak site,” said Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group.
Genevieve Stark, who leads cybercrime intelligence analysis at GTIG, told Hackread.com that they “do not currently have sufficient evidence to definitively assess the veracity of these claims.” She added that this may be possible, since cybercriminals often impersonate established groups to increase the pressure on victims to pay.
Mandiant investigators are currently conducting multiple checks within affected organisations’ Oracle environments, but have yet to substantiate the claims of a successful data breach. The only clear indicators so far are the extortion emails themselves and the use of the Cl0p-associated email addresses.
These threatening emails do not ask for a specific ransom amount, but instead push company executives to contact the threat group to start payment talks.
It is worth noting that the Cl0p group has not yet published any data or acknowledged the campaign on its official leak sites. Companies are advised to carefully check their systems for signs of compromise while the authenticity of the hackers’ claims remains unconfirmed.
Oracle is Aware
On the other hand, Oracle is aware of the issue. In a security advisory, the company’s Chief Security Officer, Rob Duhart, said that “Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update.”
This is a developing story; Hackread.com will update its readers as the latest updates emerge.
