Crims had 3-month head start on defenders in Oracle EBS invasion

The raid on Oracle E-Business Suite (EBS) likely began as early as July - about three months before any public detections - with extortionists compromising "dozens" of organizations, a Google investigation has determined.

New analysis by Google Threat Intelligence Group (GTIG) and Mandiant indicates that, while the criminals likely exploited what may be CVE-2025-61882 as a zero-day as early as August 9, weeks before Oracle developed a patch, suspicious HTTP traffic targeting Oracle EBS servers began on July 10.

"We're still assessing the scope of this incident, but we believe it affected dozens of organizations," John Hultquist, chief analyst at Google Threat Intelligence Group, told The Register. "Some historic Clop data extortion campaigns have had hundreds of victims. Unfortunately, large scale zero-day campaigns like this are becoming a regular feature of cybercrime."

Attack timeline

As a reminder of the timeline thus far: In late September, criminals claiming to be affiliated with the notorious Clop cybercrime mob began bombarding execs at numerous organizations with extortion emails, claiming to have stolen sensitive data from their EBS environments.

On October 2, Oracle told customers that the crims may have exploited security holes that were patched in July 2025 and recommended that they apply the latest critical patch updates. 

Two days later, Oracle pushed an emergency patch for a zero-day bug, tracked as CVE-2025-61882, in EBS that Clop had already abused for data theft and extortion.

Since then, researchers have found signs of Clop rummaging through Oracle customers' EBS environments since August. But according to Google's threat hunters, the nefarious activity began a month earlier and may have ties to the Salesforce data thieves.

ShinyHunters connection?

In its report published on Thursday, however, Mandiant's incident response team said they spotted activity in July that looked like miscreants attempting to break into Oracle EBS servers by targeting the UiServlet component. 

The UiServlet is located within the path /OA_HTML/configurator/UiServlet, where it accepts and processes requests from users, and the Clop exploits disclosed in October target this particular component.

The artifacts recovered during Mandiant's investigation show some overlap between the July activity against the UiServlet and an exploit leaked by Scattered Lapsus$ Hunters in its Telegram channel on October 3, a day before Oracle released a patch for CVE-2025-61882.

"However, GTIG lacks sufficient evidence to directly correlate activity observed in July 2025 with use of this exploit," Googlers Peter Ukhanov, Genevieve Stark, Zander Work, Ashley Pearson, Josh Murchie, and Austin Larsen wrote in Thursday's threat intel report. "At this time, GTIG does not assess that actors associated with UNC6240 (aka 'Shiny Hunters') were involved in this exploitation activity."

Then, on July 10, before Oracle released its July EBS security updates, Mandiant spotted suspicious HTTP traffic from 200.107.207.26, which may be an early attempt to exploit the EBS servers, the cyber sleuths noted.

• Clop-linked crims shake down Oracle execs with data theft claims
• Oracle tells Clop-targeted EBS users to apply July patch, problem solved
• Clop crew hits Oracle E-Business Suite users with fresh zero-day
• Clop raid on Oracle E-Business Suite started months ago, researchers warn

"However, there was no available forensic evidence showing outbound HTTP traffic consistent with the remote XSL payload retrieval performed in the leaked exploit, nor any suspicious commands observed being executed, inhibiting us from assessing that this was an actual exploitation attempt," they wrote.

Then, after Oracle's July security update, Mandiant observed "likely exploitation attempts" from 161.97.99.49 against Oracle EBS servers, again targeting the UiServlet.

Some of these requests timed out, according to EBS log data, and that suggests that the Server-Side Request Forgery vulnerability in the leaked public exploit (analyzed here by watchTowr) may have failed. 

Google also notes that these errors weren't present in any activity prior to the July patch release, and says it can't confirm if the same threat group was behind the suspicious traffic before and after the July release.

And…the payloads

We do know that the August exploits targeting a bug in the SyncServlet component, allowing for unauthenticated remote code execution (RCE), were successful. And in its report, the Chocolate Factory reveals that the intruders deployed multi-stage, fileless malware to evade file-based detection in these EBS attacks.

This includes GOLDVEIN.JAVA, a downloader that communicated with the attacker-controlled command-and-control (C2) IP address to retrieve and execute a second-stage payload (Mandiant hasn't recovered any follow-on payloads at this time). 

The GOLDVEIN beacon is disguised as a TLSv3.1 handshake and contains logging functionality that returns the execution result to the attacker in the HTTP response.

This downloader was originally written in PowerShell (before the Java version used here) and was first observed in December 2024 by a suspected FIN11 threat cluster that Google tracks as UNC5936. FIN, in Google's attacker naming taxonomy, denotes a financially motivated gang, while UNC means uncategorized.

The attackers abusing EBS also deployed multiple Java payloads including the SAFEGIFT loader, the SAGELEAF in-memory dropper, and a malicious Java servlet filter called SAGEWAVE. These combined payloads allow the miscreants to continually filter and monitor for requests to certain endpoints to deploy additional Java payloads.

FIN, who?

And about that potential FIN11 overlap: while GTIG has not formally attributed the EBS exploitation to any threat group - yet - it says the crims' claimed links to Clop, including two contact email addresses listed on the Clop data leak site (DLS) since at least May, are "notable."

"GTIG initially observed the DLS used for multifaceted extortion operations involving CL0P ransomware and attributed to FIN11," the researchers wrote. "More recently, the majority of the alleged victims appear to be associated with data theft extortion incidents stemming from the exploitation of managed file transfer (MFT) systems frequently attributed to FIN11 and suspected FIN11 threat clusters."

However, they note, FIN11 isn't the only gang using Clop's ransomware and leak site, so Google can't attribute these attacks to FIN11 based on this alone. ®