Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign

Oct. 10, 2025, 9:04 a.m.

Description

A large-scale extortion campaign targeting Oracle E-Business Suite (EBS) customers began on September 29, 2025. The threat actor, claiming affiliation with the CL0P extortion brand, exploited a zero-day vulnerability (CVE-2025-61882) in EBS as early as August 9, 2025. The campaign involved sending emails to executives, alleging data theft from EBS environments. The attackers used a multi-stage Java implant framework to compromise Oracle EBS, exploiting vulnerabilities in the UiServlet and SyncServlet components. The attack chain included GOLDVEIN.JAVA downloader and SAGE* infection chain. While not formally attributed, the activity shows overlaps with confirmed and suspected FIN11 operations. The campaign highlights the ongoing trend of exploiting zero-day vulnerabilities in enterprise applications for data theft and extortion.

External References

https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation
https://otx.alienvault.com/pulse/68e826492c3a91b3abe8c6b9
Tags
CVE-2025-61882
oracle e-business suite
2025-10-09
goldvein.java
sagegift
sagewave
goldvein

Date

  • Created: Oct. 9, 2025, 9:16 p.m.
  • Published: Oct. 9, 2025, 9:16 p.m.
  • Modified: Oct. 10, 2025, 9:04 a.m.

Attack Patterns

  • SAGEWAVE
  • SAGELEAF
  • GOLDVEIN.JAVA
  • SAGEGIFT
  • CL0P