Google Mandiant and the Google Threat Intelligence Group (GTIG) have revealed that they are tracking new activity clusters that may be linked to a financially motivated threat actor known as CL0P.
Malicious Activities sends a terr email to executives from various organizations, claiming they have stolen sensitive data from the Oracle E-Business suite.
“This activity began before September 29, 2025, but Mandiant experts are still in the early stages of multiple investigations and have yet to demonstrate the group’s claims,” Genevieve Stark, director of cybercrime and information operations intelligence analysis at GTIG, told Hacker News.
He also said targeting is opportunistic rather than focusing on specific industries, adding that adding this modus operandi is consistent with previous activities related to CL0P data leak sites.
Mandiant CTO Charles Carmakal described the ongoing activity as a “massive email campaign” launched from hundreds of compromised accounts. It suggests that at least one of these accounts was previously associated with an activity from FIN11, a subset within the TA505 group.
FIN11 per Mandiant will be engaged in ransomware and tor attacks until 2020. Previously, it was linked to the distribution of various malware families such as Flawedamyy, Friendspeak, and MixLabel.
“We have confirmed that the malicious email contains contact information and that the two specific contact addresses provided are also publicly available on the CL0P Data Leak Site (DLS),” Carmakal added. “This move strongly suggests that it is linked to CL0P and leverages current brand awareness of operations.”
That said, Google said it has no evidence in itself to confirm the suspicious relationship, despite the similarity of tactics observed in previous CL0P attacks. The company is also urging organizations to investigate the environment for evidence of threatening actor activity.
It is currently unclear how initial access will be obtained. However, according to Bloomberg, the attacker is believed to have compromised users’ emails, abused the default password reset function, citing information shared by Halikon to obtain valid Oracle E-Business Suite Portals for the Internet.
When contacted in the comments, Oracle told Hacker News “we are aware that some Oracle E-Business Suite (EBS) customers have received fearful mail,” and it was discovered that “potential use of previously identified vulnerabilities addressed in the July 2025 critical patch update” has been discovered.
Rob Duhart, chief security officer at Oracle Corporation, has also urged customers to apply the latest critical patch updates to protect against threats. However, the company did not say which vulnerabilities are under aggressive exploitation.
In recent years, the highly prolific CL0P group has been attributable to many waves of attacks exploiting Accellion FTA, SolarWinds Serv-U FTP, Fortra GoaNy Where MFT, and ongoing mobile transfer platforms, which have infringed thousands of organizations.
update
Cybersecurity company Halcyon said in a report published Thursday that attackers have abused the default password reset function to obtain valid credentials. Specifically, these accounts are bypassing SSO protection due to lack of MFA, which allows threat actors to trigger password resets through the compromised email account and gain valid user access, relying on local Oracle EBS accounts.
“Local accounts bypass enterprise SSO controls, often lacking MFA, leaving thousands of organizations exposed,” he said in the alert. “Ransom demands reach up to $50 million, and attackers provide evidence of compromise, including screenshots and file trees.”
(The story was updated after publication to include answers from Oracle and Google, as well as additional details from Halcyon.)
