{
  "name": "Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign",
  "slug": "oracle-e-business-suite-zero-day-exploited-in-widespread-extortion-campaign",
  "description": "A large-scale extortion campaign targeting Oracle E-Business Suite (EBS) customers began on September 29, 2025. The threat actor, claiming affiliation with the CL0P extortion brand, exploited a zero-day vulnerability (CVE-2025-61882) in EBS as early as August 9, 2025. The campaign involved sending emails to executives, alleging data theft from EBS environments. The attackers used a multi-stage Java implant framework to compromise Oracle EBS, exploiting vulnerabilities in the UiServlet and SyncServlet components. The attack chain included GOLDVEIN.JAVA downloader and SAGE* infection chain. While not formally attributed, the activity shows overlaps with confirmed and suspected FIN11 operations. The campaign highlights the ongoing trend of exploiting zero-day vulnerabilities in enterprise applications for data theft and extortion.",
  "published": "2025-10-09T19:16:57+00:00",
  "created_at": "2025-10-09T19:16:57+00:00",
  "modified_at": "2025-10-10T07:04:09+00:00",
  "created_at_opencti": "2025-10-09T19:16:57+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-10-09",
    "CVE-2025-61882",
    "goldvein",
    "goldvein.java",
    "oracle e-business suite",
    "sagegift",
    "sagewave"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "a6f4c6b7-80da-4a3f-a13f-44beab0c482e",
        "name": "SAGEWAVE",
        "slug": "sagewave"
      },
      {
        "id": "446cded0-81a4-4956-854b-828522d30522",
        "name": "SAGELEAF",
        "slug": "sageleaf"
      },
      {
        "id": "f9de2692-39ab-4f5c-99bf-f95ae2ecbccc",
        "name": "GOLDVEIN.JAVA",
        "slug": "goldveinjava"
      },
      {
        "id": "39aea0cd-3ec1-40c5-8e94-8bfdf2f83d8a",
        "name": "SAGEGIFT",
        "slug": "sagegift"
      }
    ],
    "intrusion_sets": [
      {
        "id": "7a6bf580-0a40-4a15-b5a0-9652255d9876",
        "name": "CL0P",
        "slug": "cl0p"
      }
    ],
    "attack_patterns": [
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "b6e505a1-fadb-491a-b4f1-151443fdc8c3",
        "name": "T1001"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation",
    "https://otx.alienvault.com/pulse/68e826492c3a91b3abe8c6b9"
  ]
}