A large-scale extortion campaign targeting Oracle E-Business Suite (EBS) customers began on September 29, 2025. The threat actor, claiming affiliation with the CL0P extortion brand, exploited a zero-day vulnerability (CVE-2025-61882) in EBS as early as August 9, 2025. The campaign involved sending emails to executives, alleging data theft from EBS environments. The attackers used a multi-stage Java implant framework to compromise Oracle EBS, exploiting vulnerabilities in the UiServlet and SyncServlet components. The attack chain included GOLDVEIN.JAVA downloader and SAGE* infection chain. While not formally attributed, the activity shows overlaps with confirmed and suspected FIN11 operations. The campaign highlights the ongoing trend of exploiting zero-day vulnerabilities in enterprise applications for data theft and extortion. Author: AlienVault
Related Tags:
SAGEWAVE
SAGELEAF
SAGEGIFT
GOLDVEIN.JAVA
cve-2025-61882
oracle e-business suite
T1505.003
T1132
T1573
Associated Indicators:
BFA02F822ACC4ADFA627913E7157928D66081BC9
200.107.207.26