Google Threat Intelligence Group (GTIG) and Mandiant said in a new report that dozens of organisations may have been affected by the zero-day exploitation of a flaw in Oracle’s E-Business Suite (EBS), a campaign that was first observed in August 2025.
John Hultquist, chief analyst of GTIG at Google Cloud, said the investigators “believe it affected dozens of organizations” and warned that large-scale zero-day campaigns are becoming more common. The activity bears hallmarks associated with the Cl0p data-extortion brand and involved at least one critical vulnerability publicly tracked as CVE-2025-61882, the report said; Oracle has issued patches to address the flaws. Google also reported evidence of suspicious activity dating back to July 10, 2025 and said how successful those earlier efforts were remains unknown.
According to GTIG, the attackers combined multiple exploitation techniques and “assessed” chains of vulnerabilities to gain remote code execution on EBS servers. The intrusions reportedly used Server-Side Request Forgery (SSRF), Carriage-Return Line-Feed (CRLF) injection, authentication bypass and XSL template injection to establish reverse shells and exfiltrate data.
Investigators said the campaign escalated on Sept. 29, 2025 when attackers launched a high-volume email campaign targeting company executives from hundreds of compromised third-party accounts. The credentials for those accounts were reportedly purchased on underground forums, and GTIG noted that phishing email campaigns by FIN11 have acted as a precursor to branded extortion operations in past incidents.
Google’s analysis identified two distinct chains of Java payloads embedded in XSL templates, including a downloader variant called GOLDVEIN.JAVA and a Base64-encoded loader named SAGEGIFT used to deploy in-memory dropper and servlet-filter components such as SAGELEAF and SAGEWAVE. The report also noted overlaps between post-exploitation tooling and malware previously associated with suspected FIN11 activity.
Victims received extortion messages claiming a breach of their Oracle EBS application and demanding ransom payments; to date none have been posted on the Cl0p data-leak site, a delay consistent with prior Cl0p campaigns, GTIG said. While Google described an apparent association with the Cl0p brand, it did not formally attribute the campaign to a specific tracked group and said some artifacts overlap with an exploit later leaked in a Telegram group but there is insufficient evidence to implicate that group.