Oracle Clop Data Theft Campaign Started Months Ago

The Clop extortion campaign that made waves last week stemmed from months of intrusion activity targeting Oracle E-Business Suite customer environments, with a new analysis on Thursday tracking the campaign back to July 10.

Last week, Oracle said that the threat actor might have exploited flaws that were patched in July 2025 and also directed customers to apply an emergency patch to address a critical bug (CVE-2025-61882). Researchers with Google Threat Intelligence Group and Mandiant on Thursday said that the threat actor likely exploited this flaw as early as Aug. 9, weeks before a patch was available. 

“This overall approach—in which threat actors have leveraged zero-day vulnerabilities, limited their network footprint, and delayed extortion notifications—almost certainly increases the overall impact, given that threat actors may be able to exfiltrate data from numerous organizations without alerting defenders to their presence,” according to the Thursday analysis.

The campaign became public after several executives at firms received extortion emails from the threat actors on Sept. 29; researchers with Google said that they believe the incident has impacted “dozens” of organizations and that the threat actor has been able to exfiltrate “a significant amount” of data from the impacted businesses.

Researchers said that this high-volume email campaign was launched from hundreds of legitimate compromised third-party accounts – a move by attackers to make the emails seem more legitimate and bypass spam filters. The threat actors likely sourced the stolen credentials for these accounts via purchasing infostealer logs on underground forums.

The initial activity, which began in July, involved threat actors chaining together multiple vulnerabilities, including CVE-2025-61882, in order to achieve remote code execution and ultimately steal massive amounts of customer data. 

Threat actors also used sophisticated, fileless malware in order to sidestep file-based detection measures. These malware families included the GOLDVEIN.JAVA downloader; the SAGEGIFT payload that then installed SAGELEAF, a malicious Java servlet filter enabling the attackers to deploy an AES-encrypted ZIP archive; and SAGEWAVE, the main payload. 

It’s important to note that while the Clop extortion brand is used in this campaign, Google has not formally attributed the activity to a tracked threat group at this time. While there are breadcrumbs that link some of the activity to FIN11, which has been linked to activity involving Clop previously, there is also evidence that the Clop ransomware and data leak site has not been exclusively used by the FIN11 group, which precludes researchers’ ability to attribute based solely on this factor.

“The pattern of exploiting a zero-day vulnerability in a widely used enterprise application, followed by a large-scale, branded extortion campaign weeks later, is a hallmark of activity historically attributed to FIN11 that has strategic benefits which may also appeal to other threat actors,” said researchers.