Article illustration 1

A new wave of extortion emails is targeting corporate executives, alleging the theft of sensitive data from their Oracle E-Business Suite (EBS) platforms—a critical system for enterprise resource planning used by thousands of organizations globally. Security giants Mandiant (a Google Cloud subsidiary) and Google's Threat Intelligence Group (GTIG) are actively investigating the campaign, which began in late September. According to Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, the claims surfaced on or before September 29, 2025, but investigators have yet to substantiate the hackers' assertions.

Charles Carmakal, CTO of Mandiant – Google Cloud, revealed that the emails are being blasted from hundreds of compromised accounts, with at least one linked to FIN11—a financially motivated threat group long associated with Clop ransomware operations.

"We are observing a high-volume email campaign launched from compromised accounts," Carmakal stated. "The tactics align with Clop's history, but we lack conclusive evidence that data was actually exfiltrated."

The emails include contact addresses tied to Clop's data leak site, hinting at the gang's involvement. Clop, also tracked as TA505 or FIN11, has evolved from traditional ransomware deployment to exploiting zero-day vulnerabilities in file-transfer systems. Their track record includes high-profile attacks like the 2023 MOVEit Transfer breach, which impacted 2,773 organizations. Mandiant and GTIG advise all affected organizations to scrutinize their Oracle EBS environments for unusual access patterns or signs of compromise.

This campaign underscores a chilling trend: Clop's shift toward data-centric extortion without always deploying ransomware. By hijacking trusted email accounts, they amplify psychological pressure on victims, exploiting the reputational risks of data exposure. Oracle EBS is a high-value target due to its role in managing financials, supply chains, and HR data—making breaches potentially catastrophic.

Security teams should prioritize patch management and monitor for anomalies in legacy systems, as Clop often weaponizes overlooked vulnerabilities. The U.S. State Department's $10 million bounty on Clop underscores the group's global threat level, yet their resilience highlights the escalating cat-and-mouse game in cybersecurity. Vigilance and proactive defense are no longer optional; they're existential imperatives in an era where data is the ultimate currency.

Source: BleepingComputer