Cybersecurity professionals are on high alert as a group with alleged connections to the notorious Cl0p ransomware gang has been sending a series of emails to businesses, threatening to expose data purportedly stolen from Oracle’s E-Business Suite. This software is widely used for managing critical business operations, including finance and human resources.
The email campaign began around September 29, 2025, prompting urgent investigations by Mandiant and the Google Threat Intelligence Group (GTIG). Organizations that utilize Oracle’s E-Business Suite are feeling the pressure as they work to address these claims of data breaches.
Linking the Evidence
Charles Carmakal, Chief Technology Officer at Mandiant, shared insights with Hackread.com, revealing that the attack consists of a large-scale email campaign sent from numerous previously compromised third-party email accounts. Initial investigations by Mandiant indicate that at least one of these accounts was formerly associated with FIN11, a cybercriminal organization known for its ransomware tactics and extortion activities.
This group appears to be leveraging the Cl0p name, a well-documented financially motivated cybercrime entity recognized for large-scale attacks, including the 2023 MOVEit incident that impacted over 2,300 organizations. Ongoing investigations highlight a direct connection, as two specific contact addresses in the extortion emails match those that are publicly listed on Cl0p’s data leak site. Carmakal has pointed out that this could indicate a genuine link to Cl0p or a tactical decision by the attackers to use the group’s reputation for added intimidation.
Austin Larsen, Principal Threat Analyst at GTIG, confirmed that the contact addresses referenced in these communications are identical to those found on Cl0p’s leak site. Meanwhile, Genevieve Stark, who heads cybercrime intelligence at GTIG, cautioned that there is currently insufficient evidence to conclusively validate these claims. Cybercriminals often impersonate established entities as a means to increase pressure on potential victims.
Investigators at Mandiant are conducting thorough assessments within the Oracle environments of affected organizations, but as of now, they have not verified any claims of a successful data breach. The primary indicators so far consist of the extortion emails and the use of email addresses linked to Cl0p. Notably, the threatening emails do not specify a ransom amount; rather, they urge executives to initiate discussions regarding payments.
Crucially, the Cl0p group has yet to publish any stolen data or acknowledge this campaign through its official channels. Organizations are advised to conduct careful evaluations of their systems for signs of compromise, as the authenticity of these claims remains unverified.
Oracle Responds
Oracle is aware of the ongoing situation. In a recent security advisory, Chief Security Officer Rob Duhart stated that “Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails.” The company’s investigations have revealed potential exploitation of previously identified vulnerabilities addressed in the July 2025 Critical Patch Update.
As this story develops, Hackread.com will keep its audience informed as new information emerges about these threats and their implications in the cybersecurity landscape.
