Oracle E-Business Suite compromised-account extortion email campaign
Campaign
Summary
Hide ▲
Show ▼
A compromised-account extortion campaign is targeting Oracle E-Business Suite (EBS) customers, with executives at multiple companies receiving emails claiming sensitive data was stolen. The activity began on or before September 29, 2025, and investigators said the messages were sent from hundreds of compromised third-party accounts. Google Threat Intelligence Group (GTIG) and Mandiant said the campaign may have affected dozens of organizations and may involve CVE-2025-61882 plus other attack chains used to gain remote code execution on Oracle EBS servers. Oracle has since issued patches, while the theft claims remain unconfirmed and the campaign shows possible ties to Cl0p and prior FIN11-associated infrastructure.
Related Happenings
Over a dozen companies data exposed after SaaS integration provider Snowflake breach
Data Leak
First: 07.04.2026 22:39
Last: 07.04.2026 22:39
Sources 1
About this happening:
A stolen-token attack from a **SaaS integration provider breach** has led to data theft claims affecting **over a dozen companies**, creating immediate exposure and extortion risk...
Over a dozen companies data exposed after SaaS integration provider Snowflake breach
Data LeakAbout this happening: A stolen-token attack from a **SaaS integration provider breach** has led to data theft claims affecting **over a dozen companies**, creating immediate exposure and extortion risk...
Madison Square Garden hit by network compromise linked to Cl0p
Incident
First: 02.03.2026 15:53
Last: 02.03.2026 15:53
Sources 1
About this happening:
**Madison Square Garden** confirmed a **data breach** that exposed **names and SSNs**, and it has started notifying affected people. The compromise involved a **hosted Oracle E-Bu...
Madison Square Garden hit by network compromise linked to Cl0p
IncidentAbout this happening: **Madison Square Garden** confirmed a **data breach** that exposed **names and SSNs**, and it has started notifying affected people. The compromise involved a **hosted Oracle E-Bu...
Cl0p Oracle E-Business Suite zero-day extortion campaign
Campaign
First: 02.03.2026 15:53
Last: 02.03.2026 15:53
Sources 1
About this happening:
The **Cl0p ransomware and extortion group** is running an **Oracle E-Business Suite** extortion campaign that used **zero-day vulnerabilities** to access data from **more than 100...
Cl0p Oracle E-Business Suite zero-day extortion campaign
CampaignAbout this happening: The **Cl0p ransomware and extortion group** is running an **Oracle E-Business Suite** extortion campaign that used **zero-day vulnerabilities** to access data from **more than 100...
Optimizely hit by network compromise
Incident
First: 23.02.2026 20:04
Last: 23.02.2026 20:04
Sources 1
About this happening:
**Optimizely** confirmed a **voice-phishing breach** that exposed **basic business contact information**, creating a limited but real follow-on phishing risk. The intrusion touche...
Optimizely hit by network compromise
IncidentAbout this happening: **Optimizely** confirmed a **voice-phishing breach** that exposed **basic business contact information**, creating a limited but real follow-on phishing risk. The intrusion touche...
Chinese state-sponsored campaign to hijack Notepad++ update traffic
Campaign
First: 02.02.2026 16:53
Last: 02.02.2026 16:53
Sources 1
About this happening:
A **months-long campaign** hijacked **Notepad++ update traffic**, selectively sending some users to malicious servers and threatening the integrity of software updates. The operat...
Chinese state-sponsored campaign to hijack Notepad++ update traffic
CampaignAbout this happening: A **months-long campaign** hijacked **Notepad++ update traffic**, selectively sending some users to malicious servers and threatening the integrity of software updates. The operat...
Timeline
-
13.10.2025 14:14 3 articles · 7mo ago
Harvard University investigates Clop Oracle E-Business Suite breach claim
Victim Impact UpdateHarvard University said it is investigating a data breach claim after Clop listed the university on its data leak site and said the alleged theft was likely tied to a recently disclosed Oracle E-Business Suite zero-day. Harvard said the issue appears to affect a limited number of parties in a small administrative unit, that it applied Oracle's patch after receiving it, and that it has no evidence of compromise to other University systems.
Show sources
- Harvard investigating breach linked to Oracle zero-day exploit — www.bleepingcomputer.com — 13.10.2025 14:14
- Washington Post data breach impacts nearly 10K employees, contractors — www.bleepingcomputer.com — 13.11.2025 18:00
- Dartmouth College confirms data breach after Clop extortion attack — www.bleepingcomputer.com — 25.11.2025 13:12
-
03.10.2025 15:14 1 articles · 7mo ago
Oracle urges E-Business Suite customers to apply July 2025 patches
Mitigation Patch UpdateOracle told Oracle E-Business Suite customers that its ongoing investigation found the potential use of previously identified vulnerabilities addressed in the July 2025 Critical Patch Update and urged them to apply the latest Critical Patch Updates and contact Oracle support if they need help.
Show sources
- Oracle links Clop extortion attacks to July 2025 vulnerabilities — www.bleepingcomputer.com — 03.10.2025 15:14
-
02.10.2025 06:13 2 articles · 7mo ago
Compromised-account extortion emails target Oracle E-Business Suite executives
Campaign Scope UpdateExecutives at multiple companies received emails claiming that sensitive Oracle E-Business Suite data was stolen, and the activity began on or before September 29, 2025. The messages were launched from hundreds of compromised accounts, and at least one sending account had prior activity associated with FIN11.
Show sources
- Clop extortion emails claim theft of Oracle E-Business Suite data — www.bleepingcomputer.com — 02.10.2025 06:13
- Clop extortion emails claim theft of Oracle E-Business Suite data — www.bleepingcomputer.com — 02.10.2025 06:13
-
02.10.2025 06:13 3 articles · 7mo ago
Mandiant and Google assess the Oracle E-Business Suite extortion campaign
Technical Analysis UpdateMandiant and Google said the extortion emails were being sent from hundreds of compromised accounts, with at least one account previously associated with FIN11, and reported contact addresses linked to the Clop ransomware gang's data leak site. They said there was not enough evidence to determine whether data had actually been stolen and recommended that organizations investigate Oracle E-Business Suite environments for unusual access or compromise.
Show sources
- Clop extortion emails claim theft of Oracle E-Business Suite data — www.bleepingcomputer.com — 02.10.2025 06:13
- Extortion Emails Sent to Executives by Self-Proclaimed Clop Gang Member — www.infosecurity-magazine.com — 02.10.2025 17:45
- CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw — thehackernews.com — 10.10.2025 09:41