Ethical Hacking News
New Extortion Campaign Possibly Linked to Cl0p Ransomware Group Targets Oracle Users
A new cluster of activity possibly linked to the Cl0p ransomware group has been detected by Google Mandiant and GTIG. The malicious emails claim that sensitive data has been stolen from Oracle E-Business Suite users, but the investigation is ongoing and more information will be provided as it becomes available.
Google Mandiant and GTIG are tracking a new cluster of activity linked to Cl0p, a financially motivated threat actor. The malicious activity involves sending extortion emails to executives at various organizations claiming to have stolen sensitive data from their Oracle E-Business Suite. The investigation is ongoing, with more information expected as it becomes available. The attackers are believed to have compromised user emails and used default password reset functions to gain credentials. Cl0p has been attributed to numerous attack waves in recent years, exploiting zero-day flaws in various platforms.
Google Mandiant and Google Threat Intelligence Group (GTIG) have disclosed that they are tracking a new cluster of activity possibly linked to a financially motivated threat actor known as Cl0p. The malicious activity involves sending extortion emails to executives at various organizations and claiming to have stolen sensitive data from their Oracle E-Business Suite.
This activity began on or before September 29, 2025, but Mandiant's experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group. Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, told The Hacker News in a statement that the investigation is ongoing, and more information will be provided as it becomes available.
Mandiant CTO Charles Carmakal described the ongoing activity as a "high-volume email campaign" that's launched from hundreds of compromised accounts, with evidence suggesting that at least one of those accounts has been previously associated with activity from FIN11, which is a subset within the TA505 group. FIN11, per Mandiant, has engaged in ransomware and extortion attacks as far back as 2020. Previously, it was linked to the distribution of various malware families like FlawedAmmyy, FRIENDSPEAK, and MIXLABEL.
"The malicious emails contain contact information, and we've verified that the two specific contact addresses provided are also publicly listed on the Cl0p data leak site (DLS)," Carmakal added. "This move strongly suggests there's some association with Cl0p, and they are leveraging the brand recognition for their current operation." However, Google said it does not have any evidence on its own to confirm the alleged ties, despite similarities in tactics observed in past Cl0p attacks.
The company is also urging organizations to investigate their environments for evidence of threat actor activity. It's currently not clear how initial access is obtained. However, according to Bloomberg, it's believed that the attackers compromised user emails and abused the default password reset function to gain valid credentials of internet-facing Oracle E-Business Suite portals, citing information shared by Halycon.
In recent years, the highly prolific Cl0p group has been attributed to a number of attack waves exploiting zero-day flaws in Accellion FTA, SolarWinds Serv-U FTP, Fortra GoAnywhere MFT, and Progress MOVEit Transfer platforms, successfully breaching thousands of organizations. The group's methods are known for being highly sophisticated, often involving the use of stolen credentials, social engineering tactics, and compromised email accounts.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Extortion-Campaign-Possibly-Linked-to-Cl0p-Ransomware-Group-Targets-Oracle-Users-ehn.shtml
https://thehackernews.com/2025/10/google-mandiant-probes-new-oracle.html
Published: Thu Oct 2 09:56:24 2025 by llama3.2 3B Q4_K_M
