Google Says More than 100 firms likely compromised in Oracle EBS extortion campaign

Google’s cybersecurity arm warned Friday that the scale of the extortion campaign targeting Oracle’s E-Business Suite (EBS) may be far larger than originally believed, stating that “more than 100” organizations could have been affected. The revised scope raises alarm over how broadly threat actors may have accessed sensitive data across industries.

In a statement, Google said it had confirmed “dozens” of victims but expects the total to be significantly higher, based on historical patterns observed in similar campaigns. “We are aware of dozens of victims, but we expect there are many more,” said Google analyst Austin Larsen. 

The campaign, first publicly detailed in early October, involved attackers sending mass extortion emails to executives, claiming that sensitive data had been stolen from their Oracle EBS deployments. Google and Mandiant began tracking the effort as early as September 29, 2025.

Oracle on October 2 acknowledged some clients had received extortion demand emails and suggested threat actors may have exploited vulnerabilities already patched in July.Two days later, Oracle released an emergency patch for CVE-2025-61882, its own designation for a zero-day exploit targeting EBS installations, and urged customers to apply the update immediately.

Ramp-up timeline and expanded exposure

Google and Mandiant’s investigation traces intrusion activity back to July 10, 2025, when suspicious HTTP traffic targeting the EBS UiServlet component was observed. By August 9, the attackers had reportedly exploited a zero-day vulnerability—before a public patch was available—and initiated data exfiltration from affected organizations.

In September, attackers began dispatching extortion emails from hundreds of compromised third-party accounts, often drawn from infostealer malware logs. Those emails included valid file listings from victim EBS environments, using known CL0P-associated contact addresses (support@pubstorm.com and support@pubstorm.net) to press for payment.None of the currently known victims had yet appeared on the CL0P data leak site, which aligns with prior CL0P campaigns where data publication is delayed.

Google and Mandiant noted that the campaign likely used multiple exploit chains beyond CVE-2025-61882, involving both UiServlet and SyncServlet components. The attackers embedded Java payloads in Oracle’s XSL templates stored in the database tables XDO_TEMPLATES_B and XDO_LOBS.Among the techniques identified are the GOLDVEIN.JAVA downloader and a SAGE* chain that leads to an in-memory filter module called SAGEWAVE.

Once inside, attackers executed reconnaissance commands via the EBS account applmgr, including standard Unix tools (e.g., cat /etc/hosts, netstat), and launched reverse shells to attacker servers.Because the implants reside in memory, they leave few traces on disk, complicating incident response. Some exploit paths even required the use of a custom HTTP header (X-ORACLE-DMS-ECID) to activate the payload logic.

Attribution, implications and warnings

Google has not formally attributed the campaign to a single known threat group. However, it flagged multiple overlaps with FIN11, the cluster historically tied to CL0P operations. The reuse of CL0P-branded contact addresses, along with certain sender accounts previously used in FIN11 campaigns, raises the possibility of shared infrastructure or evolving partnerships.Further, the GOLDVEIN and SAGE toolsets echo prior malware used in incidents linked to FIN11 (particularly the UNC5936 subcluster).

For organizations using Oracle EBS, the immediate priority is to ensure the October 4, 2025 emergency patch (addressing CVE-2025-61882) has been applied, Google suggested. Administrators should scan EBS database tables for templates whose names begin with TMP or DEF, as these have been used to harbor malicious payloads.  Outbound access from EBS servers should be restricted to prevent callbacks, and network logs should be monitored for suspicious requests to TemplatePreviewPG, UiServlet, and SyncServlet endpoints. Memory analysis of Java processes may detect in-memory implants missed by file-based scans. 

Security teams should also be prepared for further revelations: as Google has indicated, the full scale of victimization may yet emerge. The revised estimate of over 100 firms underscores how extensive the fallout could become if more affected organizations come forward.