Cyber Security News

Google Warns of CL0P Ransomware Group Actively Exploiting Oracle E-Business Suite Zero-Day

The cybersecurity landscape faces a new and significant threat as the notorious CL0P ransomware group has launched a large-scale extortion campaign targeting Oracle E-Business Suite (EBS) environments.

Starting September 29, 2025, security researchers began tracking a sophisticated operation where threat actors claimed affiliation with the CL0P extortion brand and initiated a high-volume email campaign targeting executives across numerous organizations.

The campaign represents a continuation of the group’s successful operational model of exploiting zero-day vulnerabilities in widely used enterprise applications.

The threat actors have been exploiting what appears to be CVE-2025-61882, a zero-day vulnerability in Oracle EBS environments, with exploitation activities potentially dating back to July 10, 2025.

Oracle initially reported on October 2, 2025, that attackers may have exploited vulnerabilities patched in July 2025, but subsequently issued emergency patches on October 4 to address the vulnerability after discovering active exploitation.

The campaign follows months of intrusion activity targeting EBS customer environments, with successful data exfiltration from multiple impacted organizations.

Google Cloud analysts identified the sophisticated multi-stage attack methodology employed by the threat actors, which begins with exploitation of Oracle EBS servers through a complex vulnerability chain.

The attackers utilized compromised third-party email accounts, likely sourced from infostealer malware logs sold on underground forums, to send extortion emails to company executives.

These emails contained contact addresses support@pubstorm.com and support@pubstorm.net, which have been associated with the CL0P data leak site since at least May 2025.

The technical analysis reveals that Google Threat Intelligence Group has documented evidence of the group providing legitimate file listings from victim EBS environments to substantiate their extortion claims, with data dating back to mid-August 2025.

The threat actors have indicated that alleged victims can prevent the release of stolen data in exchange for payment, though specific amounts and methods have not been disclosed, following typical modern extortion operation patterns where demands are provided only after initial victim contact.

Multi-Stage Java Implant Framework Deployment

The sophistication of the CL0P operation becomes evident through their deployment of a multi-stage Java implant framework designed specifically for Oracle EBS compromise.

The primary attack vector involves exploitation of the SyncServlet component, allowing for unauthenticated remote code execution.

The threat actors initiate attacks with POST requests to /OA_HTML/SyncServlet, subsequently leveraging the XDO Template Manager functionality to create malicious templates within the EBS database.

The exploit chain demonstrates advanced technical capabilities, with payloads stored as new templates in the XDO_TEMPLATES_B database table.

Template names consistently begin with prefixes “TMP” or “DEF”, with TemplateType set to “XSL-TEXT” or “XML” respectively.

The malicious XSL payload structure follows this format:-

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.o"
                xmlns:b64="http://www.orac"
                xmlns:jsm="http://www.orac"
                xmlns:eng="http://www.orac"
                xmlns:str="http://www.orac">
    <xsl:template match="/">
        <xsl:variable name="bs" select="b64:decode"/>
        <xsl:variable name="js" select="str:new"/>
        <xsl:value-of select="$code"/>
    </xsl:template>
</xsl:stylesheet>
SAGE infection chain (Source – Google Cloud)

The framework includes two primary payload chains: GOLDVEIN.JAVA, a Java variant downloader that establishes connections to attacker-controlled command and control servers disguised as “TLSv3.1” handshakes, and the SAGE infection chain consisting of multiple nested Java payloads.

Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

Tushar Subhra Dutta

Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.

Recent Posts

Microsoft Introduces Researcher in 365 Copilot: Your Secure Virtual Assistant for Enhanced Productivity

Microsoft has launched Researcher with Computer Use in Microsoft 365 Copilot, marking a significant advancement…

20 minutes ago

Threat Actors Actively Using Open-Source C2 Framework to Deliver Malicious Payloads

A new wave of cyber threats is emerging as criminals increasingly weaponize AdaptixC2, a free…

2 hours ago

Hackers Weaponizing Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability

Chinese-affiliated threat actor UNC6384 has been actively leveraging a critical Windows shortcut vulnerability to target…

4 hours ago

Kimsuky and Lazarus Hacker Groups Unveil New Tools That Enable Backdoor and Remote Access

Threat actors operating under the control of North Korea's regime have demonstrated continued technical sophistication…

4 hours ago

Threat Actors Using Multilingual ZIP File to Attack Financial and Government Organizations

Sophisticated threat actors have orchestrated a coordinated multilingual phishing campaign targeting financial and government organizations…

5 hours ago

AzureHound Penetration Testing Tool Weaponized by Threat Actors to Enumerate Azure and Entra ID

AzureHound, an open-source data collection tool designed for legitimate penetration testing and security research, has…

5 hours ago