Google has confirmed that Oracle’s E-Business Suite (EBS) was compromised due to a vulnerability in the system, affecting more than 100 organizations. The breach has been linked to the cybercrime group “CL0P,” a Russian-speaking collective known for large-scale extortion campaigns targeting corporations and government agencies.
Google’s Threat Intelligence Group (GTIG) began tracking suspicious activity linked to CL0P on September 29. The alert came after executives at multiple organizations received emails detailing the stolen sensitive data and extortion demands.
Oracle confirmed on October 2 that the attackers may have exploited vulnerabilities that were patched in July 2025. Customers were advised on October 4 to apply updates immediately as outlined in Oracle Security Alerts CVE-2025-61882. Unlike the Salesforce breach, which involved compromised customer configurations rather than a platform flaw, this incident stems from a genuine software vulnerability.
Once inside, attackers deploy Java-based implants such as GOLDVEIN, SAGEGIFT, and SAGEWAVE, which use in-memory execution, dynamic filters, and template-based payloads to blend into the system. Some attacks operate under the “applmgr” account, making outbound calls to command-and-control servers and exfiltrating data stealthily.
Although few victims have appeared on the CL0P data leak site so far, this delay is typical of the group’s strategy, which often waits until ransom negotiations conclude before publishing stolen data. Oracle EBS remains a core platform for enterprise operations, making each exploited system a high-value target. The use of zero-day exploits, in-memory payloads, and database-native attacks highlights the sophistication of the threat actors.
This breach underscores a growing risk for enterprise applications. CL0P’s approach of exploit, steal, and extort is familiar, but applying it to software like Oracle EBS represents an escalation in both ambition and potential impact.
2025 has been a challenging year for enterprise security, following the massive Salesforce record theft. The Oracle hack serves as a warning that software flaws, not just misconfigurations, can expose sensitive data across hundreds of organizations.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
