Clop Oracle E-Business Suite extortion campaign
Campaign
Summary
Hide ▲
Show ▼
Clop's Oracle E-Business Suite extortion campaign has now been tied to LKQ, which was named by the group on its leak site as one of the first victims. The broader campaign is linked to CVE-2025-61882 and has targeted more than 100 organizations across multiple sectors since it surfaced in early October 2025. In a separate disclosure, the University of Phoenix said attackers accessed its systems during August 13-22, 2025 through its Oracle E-Business Suite (EBS) financial application. The university said the breach affected 3,489,274 individuals, including 9131 Maine residents, and involved sensitive personal and financial information.
Cases
Related Happenings
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
DPRK-linked cryptoasset theft campaign continuing into 2026
Campaign
First: 03.04.2026 11:35
Last: 03.04.2026 11:35
Sources 1
About this happening:
The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
DPRK-linked cryptoasset theft campaign continuing into 2026
CampaignAbout this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
TeamPCP supply-chain credential-exploitation campaign
Campaign
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...
TeamPCP supply-chain credential-exploitation campaign
CampaignAbout this happening: The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...
Latest development: 12.05.2026 01:03
TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation Wave
First: 26.03.2026 18:00
Last: 26.03.2026 18:00
Sources 1
About this happening:
**Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation WaveAbout this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
Timeline
-
14.10.2025 19:38 3 articles · 7mo ago
Clop extortion campaign against Oracle E-Business Suite customers
Initial DisclosureMandiant and Google began tracking a new extortion campaign in which companies received emails claiming sensitive data had been stolen from their Oracle E-Business Suite systems, and Oracle told customers to install the latest Critical Patch Updates after saying Clop was exploiting an EBS flaw patched in July 2025.
Show sources
- Oracles silently fixes zero-day exploit leaked by ShinyHunters — www.bleepingcomputer.com — 14.10.2025 19:38
- Oracles silently fixes zero-day exploit leaked by ShinyHunters — www.bleepingcomputer.com — 14.10.2025 19:38
- Five New Exploited Bugs Land in CISA's Catalog — Oracle and Microsoft Among Targets — thehackernews.com — 20.10.2025 22:00
-
14.10.2025 15:47 6 articles · 7mo ago
Harvard University confirmed as Oracle EBS campaign victim
Victim Impact UpdateHarvard University was listed on the Cl0p data leak website on October 12, and the cybercriminals later published a link to data allegedly stolen from Harvard. Harvard confirmed it was targeted in the Oracle EBS campaign and said the impact appears limited to a small administrative unit, while GTIG and Mandiant said dozens of organizations have been targeted.
Show sources
- Harvard Is First Confirmed Victim of Oracle EBS Zero-Day Hack — www.securityweek.com — 14.10.2025 15:47
- American Airlines subsidiary Envoy confirms Oracle data theft attack — www.bleepingcomputer.com — 17.10.2025 22:11
- Logitech confirms data breach after Clop extortion attack — www.bleepingcomputer.com — 15.11.2025 00:18
- Cox Enterprises discloses Oracle E-Business Suite data breach — www.bleepingcomputer.com — 22.11.2025 17:16
- Barts Health NHS discloses data breach after Oracle zero-day hack — www.bleepingcomputer.com — 05.12.2025 20:55
- Clop Ransomware Group Linked to 3.5m University of Phoenix Breach — www.infosecurity-magazine.com — 23.12.2025 18:00
-
06.10.2025 04:37 5 articles · 7mo ago
Clop Oracle E-Business Suite extortion campaign
Initial DisclosureThe campaign began its extortion phase when **Oracle E-Business Suite** ransom emails started reaching **multiple companies**. The opening demand centered on alleged stolen files and a threat to leak the data unless payment was made.
Show sources
- Oracle patches EBS zero-day exploited in Clop data theft attacks — www.bleepingcomputer.com — 06.10.2025 04:37
- Oracle patches EBS zero-day exploited in Clop data theft attacks — www.bleepingcomputer.com — 06.10.2025 04:37
- Clop exploited Oracle zero-day for data theft since early August — www.bleepingcomputer.com — 07.10.2025 20:27
- Google: Clop Accessed “Significant Amount” of Data in Oracle EBS Exploit — www.infosecurity-magazine.com — 10.10.2025 13:15
- Oracle silently fixes zero-day exploit leaked by ShinyHunters — www.bleepingcomputer.com — 14.10.2025 19:38