Google Warns of CL0P Ransomware Group Actively Exploiting Oracle E-Business Suite Zero-Day

The cybersecurity landscape faces a new and significant threat as the notorious CL0P ransomware group has launched a large-scale extortion campaign targeting Oracle E-Business Suite (EBS) environments.

Starting September 29, 2025, security researchers began tracking a sophisticated operation where threat actors claimed affiliation with the CL0P extortion brand and initiated a high-volume email campaign targeting executives across numerous organizations.

The campaign represents a continuation of the group’s successful operational model of exploiting zero-day vulnerabilities in widely used enterprise applications.

The threat actors have been exploiting what appears to be CVE-2025-61882, a zero-day vulnerability in Oracle EBS environments, with exploitation activities potentially dating back to July 10, 2025.

Oracle initially reported on October 2, 2025, that attackers may have exploited vulnerabilities patched in July 2025, but subsequently issued emergency patches on October 4 to address the vulnerability after discovering active exploitation.

The campaign follows months of intrusion activity targeting EBS customer environments, with successful data exfiltration from multiple impacted organizations.

Google Cloud analysts identified the sophisticated multi-stage attack methodology employed by the threat actors, which begins with exploitation of Oracle EBS servers through a complex vulnerability chain.

The attackers utilized compromised third-party email accounts, likely sourced from infostealer malware logs sold on underground forums, to send extortion emails to company executives.

These emails contained contact addresses support@pubstorm.com and support@pubstorm.net, which have been associated with the CL0P data leak site since at least May 2025.

The technical analysis reveals that Google Threat Intelligence Group has documented evidence of the group providing legitimate file listings from victim EBS environments to substantiate their extortion claims, with data dating back to mid-August 2025.

The threat actors have indicated that alleged victims can prevent the release of stolen data in exchange for payment, though specific amounts and methods have not been disclosed, following typical modern extortion operation patterns where demands are provided only after initial victim contact.

Multi-Stage Java Implant Framework Deployment

The sophistication of the CL0P operation becomes evident through their deployment of a multi-stage Java implant framework designed specifically for Oracle EBS compromise.

The primary attack vector involves exploitation of the SyncServlet component, allowing for unauthenticated remote code execution.

The threat actors initiate attacks with POST requests to /OA_HTML/SyncServlet, subsequently leveraging the XDO Template Manager functionality to create malicious templates within the EBS database.

The exploit chain demonstrates advanced technical capabilities, with payloads stored as new templates in the XDO_TEMPLATES_B database table.

Template names consistently begin with prefixes “TMP” or “DEF”, with TemplateType set to “XSL-TEXT” or “XML” respectively.

The malicious XSL payload structure follows this format:-

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.o"
                xmlns:b64="http://www.orac"
                xmlns:jsm="http://www.orac"
                xmlns:eng="http://www.orac"
                xmlns:str="http://www.orac">
    <xsl:template match="/">
        <xsl:variable name="bs" select="b64:decode"/>
        <xsl:variable name="js" select="str:new"/>
        <xsl:value-of select="$code"/>
    </xsl:template>
</xsl:stylesheet>

The framework includes two primary payload chains: GOLDVEIN.JAVA, a Java variant downloader that establishes connections to attacker-controlled command and control servers disguised as “TLSv3.1” handshakes, and the SAGE infection chain consisting of multiple nested Java payloads.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.