Cyber Security News

Google Warns of CL0P Ransomware Group Actively Exploiting Oracle E-Business Suite Zero-Day

The cybersecurity landscape faces a new and significant threat as the notorious CL0P ransomware group has launched a large-scale extortion campaign targeting Oracle E-Business Suite (EBS) environments.

Starting September 29, 2025, security researchers began tracking a sophisticated operation where threat actors claimed affiliation with the CL0P extortion brand and initiated a high-volume email campaign targeting executives across numerous organizations.

The campaign represents a continuation of the group’s successful operational model of exploiting zero-day vulnerabilities in widely used enterprise applications.

The threat actors have been exploiting what appears to be CVE-2025-61882, a zero-day vulnerability in Oracle EBS environments, with exploitation activities potentially dating back to July 10, 2025.

Oracle initially reported on October 2, 2025, that attackers may have exploited vulnerabilities patched in July 2025, but subsequently issued emergency patches on October 4 to address the vulnerability after discovering active exploitation.

The campaign follows months of intrusion activity targeting EBS customer environments, with successful data exfiltration from multiple impacted organizations.

Google Cloud analysts identified the sophisticated multi-stage attack methodology employed by the threat actors, which begins with exploitation of Oracle EBS servers through a complex vulnerability chain.

The attackers utilized compromised third-party email accounts, likely sourced from infostealer malware logs sold on underground forums, to send extortion emails to company executives.

These emails contained contact addresses support@pubstorm.com and support@pubstorm.net, which have been associated with the CL0P data leak site since at least May 2025.

The technical analysis reveals that Google Threat Intelligence Group has documented evidence of the group providing legitimate file listings from victim EBS environments to substantiate their extortion claims, with data dating back to mid-August 2025.

The threat actors have indicated that alleged victims can prevent the release of stolen data in exchange for payment, though specific amounts and methods have not been disclosed, following typical modern extortion operation patterns where demands are provided only after initial victim contact.

Multi-Stage Java Implant Framework Deployment

The sophistication of the CL0P operation becomes evident through their deployment of a multi-stage Java implant framework designed specifically for Oracle EBS compromise.

The primary attack vector involves exploitation of the SyncServlet component, allowing for unauthenticated remote code execution.

The threat actors initiate attacks with POST requests to /OA_HTML/SyncServlet, subsequently leveraging the XDO Template Manager functionality to create malicious templates within the EBS database.

The exploit chain demonstrates advanced technical capabilities, with payloads stored as new templates in the XDO_TEMPLATES_B database table.

Template names consistently begin with prefixes “TMP” or “DEF”, with TemplateType set to “XSL-TEXT” or “XML” respectively.

The malicious XSL payload structure follows this format:-

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.o"
                xmlns:b64="http://www.orac"
                xmlns:jsm="http://www.orac"
                xmlns:eng="http://www.orac"
                xmlns:str="http://www.orac">
    <xsl:template match="/">
        <xsl:variable name="bs" select="b64:decode"/>
        <xsl:variable name="js" select="str:new"/>
        <xsl:value-of select="$code"/>
    </xsl:template>
</xsl:stylesheet>
SAGE infection chain (Source – Google Cloud)

The framework includes two primary payload chains: GOLDVEIN.JAVA, a Java variant downloader that establishes connections to attacker-controlled command and control servers disguised as “TLSv3.1” handshakes, and the SAGE infection chain consisting of multiple nested Java payloads.

Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

Tushar Subhra Dutta

Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.

Recent Posts

New Kali Tool llm-tools-nmap Uses Nmap For Network Scanning Capabilities

Along with the release of Kali Linux 2025.3, a major update introduces an innovative tool that…

5 minutes ago

New Chaosbot Leveraging CiscoVPN and Active Directory Passwords to Execute Network Commands

ChaosBot surfaced in late September 2025 as a sophisticated Rust-based backdoor targeting enterprise networks. Initial…

15 hours ago

Threat Actors Exploiting SonicWall SSL VPN Devices in Wild to Deploy Akira Ransomware

Threat actors have reemerged in mid-2025 leveraging previously disclosed vulnerabilities in SonicWall SSL VPN appliances…

16 hours ago

Nanoprecise partners with AccuKnox to strengthen its Zero Trust Cloud Security and Compliance Posture

Menlo Park, USA, October 10th, 2025, CyberNewsWire AccuKnox, a leader in Zero Trust Cloud Native…

16 hours ago

175 Malicious npm Packages With 26,000 Downloads Attacking Technology, and Energy Companies Worldwide

Socket's Threat Research Team has uncovered a sophisticated phishing campaign involving 175 malicious npm packages…

17 hours ago

RondoDox Botnet Exploits 50+ Vulnerabilities to Attack Routers, CCTV Systems and Web Servers

Since its emergence in early 2025, RondoDox has rapidly become one of the most pervasive…

18 hours ago