Overview
Cl0p — also attributed as TA505 and FIN11 across overlapping threat actor assessments — has added Oracle E-Business Suite (EBS) to the list of enterprise platforms it has systematically exploited for mass data theft. The campaign, first identified by CrowdStrike and later confirmed by Mandiant and Google Cloud, exploited CVE-2025-61882 as a zero-day beginning in July 2025, months before a patch was available. By early 2026 Cl0p had named nearly 30 victims on its data leak site, with analysts estimating over 100 organisations were compromised in total.
The operation follows a familiar Cl0p formula: identify a widely deployed enterprise platform, exploit a critical pre-authentication vulnerability before the vendor patches it, exfiltrate data at scale, and then run a prolonged extortion campaign stretching across multiple quarters.
Vulnerability: CVE-2025-61882
The flaw resides in the BI Publisher Integration component of Oracle’s Concurrent Processing product within Oracle E-Business Suite. It carries a CVSS base score of 9.8 and requires no authentication — a remote, unauthenticated attacker can trigger remote code execution against an internet-exposed EBS instance.
Oracle EBS is widely deployed in manufacturing, healthcare, finance, and logistics for ERP, HR, and supply-chain functions. Crucially, many deployments expose portions of the application to the internet for supplier portals, employee self-service, and partner integrations — providing Cl0p with a large attack surface comparable to those offered by MOVEit Transfer and Cleo in earlier campaigns.
Mandiant’s analysis placed the earliest observed exploitation activity on 10 July 2025, with the volume of attacks increasing sharply after 9 August 2025, well before Oracle issued a patch. A mass email extortion phase launched on 29 September 2025, when Cl0p began notifying victim organisations — including corporate executives — via compromised third-party email accounts.
Attack Chain
Cl0p’s intrusion methodology for the Oracle EBS campaign was documented across incident response engagements by multiple firms:
Stage 1 — Initial Access. Automated scanning infrastructure identified internet-exposed EBS instances. Cl0p exploited CVE-2025-61882 to achieve unauthenticated remote code execution, then deployed web shells for persistent access without requiring further credentials.
Stage 2 — Reconnaissance. Post-exploitation reconnaissance used PowerShell-based commands to enumerate host identity, active directory context, and EBS-specific data directories. The group used tools including SDBot and TinyMet for command-and-control alongside the web shells.
Stage 3 — Data Exfiltration. EBS environments hold financial records, HR data, supply chain information, and customer PII — all of high extortion value. Cl0p exfiltrated data over HTTPS to attacker-controlled infrastructure. Consistent with its MFT campaigns, the group did not deploy file-encrypting ransomware; extortion rests entirely on the threat of data publication.
Stage 4 — Extended Extortion. Rather than notifying all victims simultaneously, Cl0p drip-fed victim names onto its Tor-hosted data leak site across several months. A peak activity spike of 22 victim publications in a single day was recorded on 1 February 2026. This drawn-out disclosure pattern — also used after the MOVEit campaign — maximises media coverage and extends the pressure window on organisations that have not yet paid.
Confirmed Victims
Named victims span a broad set of sectors, reflecting Oracle EBS’s enterprise user base rather than targeted sector selection. Confirmed organisations include:
- The Washington Post — confirmed breach in early November 2025 after being listed on Cl0p’s DLS
- GlobalLogic (Hitachi subsidiary) — reported exposure of personal data belonging to approximately 10,500 current and former employees
- Envoy Air (American Airlines subsidiary)
- Logitech
- Cox Enterprises
- Harvard University
The 53% concentration in business services among claimed victims reflects Oracle EBS’s popularity in that segment, not deliberate targeting. Healthcare and manufacturing victims have also been identified.
Scale and Context
In Q1 2026, Check Point Research recorded 2,122 victims across all ransomware groups — the second-highest first quarter on record. Cl0p’s Oracle EBS campaign continued to contribute victims into that period, with the group posting new names as late as February 2026 despite the intrusions occurring months earlier.
The campaign is notable for Cl0p’s effective exploitation of a zero-day window of several weeks — longer than the zero-day window exploited in the MOVEit campaign. CrowdStrike noted that Cl0p’s initial scanning and exploitation activity preceded public awareness of the vulnerability by a significant margin, suggesting either prior knowledge of the flaw or unusually rapid development of exploit tooling once initial access was achieved.
Clop claimed access into over 234 victim EBS environments by the time the campaign was disclosed, though independent researchers were unable to verify that figure fully.
Indicators of Compromise
Network:
- Outbound HTTPS connections to infrastructure on bulletproof ASNs from EBS application servers
- High-volume egress from Oracle EBS processes during off-hours
- DNS lookups to recently registered domains from EBS hosts
Host:
- Web shell files in Oracle EBS web application directories (JSP-based, consistent with DEWMODE variants)
- SDBot or TinyMet artefacts in temporary directories
- PowerShell execution spawned from Oracle EBS Java processes
- 7-Zip execution from within the Oracle application directory tree
Email:
- Extortion emails sent from third-party compromised accounts to corporate executives, referencing internal EBS data to establish credibility
Recommended Actions
Organisations running Oracle E-Business Suite should treat the following as immediate priorities:
- Apply Oracle’s patch for CVE-2025-61882 without delay. Oracle issued a fix; unpatched instances remain at risk.
- Audit web-facing EBS components for web shell artefacts in application directories. Focus on JSP files modified after July 2025.
- Review EBS access logs for anomalous POST requests to BI Publisher Integration endpoints, particularly from IP ranges not associated with known users.
- Restrict internet-facing EBS surfaces. Supplier portals and self-service modules that must remain public should be placed behind a web application firewall with strict egress controls.
- Monitor outbound data volumes from EBS application servers. Cl0p’s exfiltration activity generates measurably elevated egress before leaving the environment.
If an organisation suspects compromise, incident response engagement is recommended before contacting Cl0p through any extortion channel — payment does not guarantee data deletion, and negotiating without a full understanding of scope risks paying for an incomplete resolution.
Pattern Assessment
CVE-2025-61882 is Cl0p’s fourth major mass-exploit campaign in three years, following GoAnywhere MFT (2023), MOVEit Transfer (2023), and Cleo MFT (2024–2025). Each campaign targeted a different file transfer or enterprise integration platform. The Oracle EBS campaign departs slightly from that MFT-focused pattern but retains the same operational logic: find a widely deployed platform, exploit a critical pre-auth flaw at zero-day, and extract data from hundreds of organisations before defenders can respond collectively.
The group’s capacity to sustain multiple overlapping campaigns — the Cleo campaign was still producing victim posts in early 2025 as Oracle EBS exploitation was beginning — reflects a well-resourced operation with separate teams managing different extortion pipelines simultaneously.