Google Threat Intelligence Group (GTIG) and Mandiant have continued to analyze the recent Oracle E-Business Suite (EBS) extortion campaign and their researchers have identified some of the pieces of malware deployed in the attacks.
The attacks came to light on October 2, when GTIG and Mandiant warned that executives at many organizations using Oracle EBS had received extortion emails. It has since been determined that hackers likely exploited known EBS vulnerabilities patched in July, likely along with a zero-day flaw tracked as CVE-2025-61882.
The hacker groups ShinyHunters and Scattered Spider (now calling themselves Scattered LAPSUS$ Hunters) have published a proof-of-concept (PoC) exploit that appears to target CVE-2025-61882, but it’s still unclear which other CVEs are involved in the exploit chain. It’s worth noting that even on its own, according to Oracle, CVE-2025-61882 allows unauthenticated remote code execution.
CrowdStrike has found evidence that exploitation of CVE-2025-61882 started on August 9. A blog post published on Thursday by GTIG and Mandiant reveals that some suspicious activity was seen as early as July 10, right before Oracle published its July patches.
GTIG and Mandiant have not obtained definitive proof, but they say it’s plausible that the July 10 activity was an early attempt to exploit EBS servers.
GTIG and Mandiant researchers have also analyzed the exploit chain and malware deployed in the Oracle EBS campaign.
The attackers created a malicious template in vulnerable Oracle EBS databases, which stored a payload triggered in the final stage of the exploit chain.
Two types of payloads have been identified in the malicious templates. One of them is a downloader tracked by Google as GoldVein.Java, which attempts to fetch a second-stage payload from a C&C server. However, the tech giant’s researchers have not been able to retrieve this second-stage payload.
The second payload delivered through malicious templates is actually a “nested chain of multiple Java payloads”. A loader named SageGift loads a dropper named SageLeaf, which in turn installs a Java servlet filter named SageWave that enables the threat actor to deploy the final payload. Again, the final payload could not be retrieved by the researchers.
GoldVein, SageGift, SageLeaf, and SageWave have been described as sophisticated, multi-stage, fileless malware that can evade file-based detection.
The Cl0p name has been used in the extortion emails sent to victims (likely due to Cl0p’s reputation), but GTIG and Mandiant immediately discovered some links to a cybercrime group tracked as FIN11, based on the compromised email accounts used to send out the extortion messages.
GTIG said it has yet to attribute the attack to a specific threat group, but pointed out that it has found further links to FIN11, which appears to have multiple activity clusters. Connections to FIN11 include the hackers being known for using Cl0p ransomware, and the malware used in the latest attacks being similar to malware previously linked to FIN11.
Despite them leaking the PoC exploit, there is no evidence that the Scattered LAPSUS$ Hunters hackers were involved in the Oracle campaign.
Google researchers believe dozens of organizations have been hit, and noted that the hackers managed to steal significant amounts of data from some of the victims.
This is not surprising, as the previous large-scale campaigns linked to FIN11 and Cl0p — they targeted Cleo, MOVEit, Fortra and Accellion file transfer products via zero-day flaws — also resulted in large amounts of information being stolen, in some cases from hundreds of organizations.
The Cl0p leak website currently displays a message suggesting that victims of the Oracle EBS campaign will soon be named unless they pay a ransom. However, similar to the previous Cl0p extortion campaigns, it will likely take weeks for the victims to be named.
Related: Recent Fortra GoAnywhere MFT Vulnerability Exploited as Zero-Day
Related: All SonicWall Cloud Backup Users Had Firewall Configurations Stolen
