- Hackers claim to have stolen Oracle E-Business Suite data that requires ransom from managers
- Campaign attached to Fin11 and possibly CL0P using hundreds of compromised E -mail accounts
- No proof of data theft yet; Researchers are calling to check the Oracle logs of suspicious activity
Cyber criminals send leaders to various US organizations and claim to have stolen sensitive files from their Oracle E-Business Suite Systems, and probably require payment in exchange for keeping the files out of public reach.
“This activity began or before September 29, 2025, but Mandiant’s experts are still in the early stages of several studies and have not yet substantiated the requirements of this group,” said Genevieve Stark, leader of cybercrime and information operations intelligence analysis in Google’s threat information group (GIRL), who, along with Mandiant, has traced the battle since the end of September 2025.
In other words, there is still no evidence that what these hackers say is true. Sometimes Crooks would simply try to blunt to be sent money and this would certainly not be the first time it happened.
Links to Fin11 and CL0P
What makes this campaign interesting is its link to different hacking collective.
According to Charles Carmakal, CTO for Mandiant -Google Cloud, E -emails are sent from hundreds of compromised E -mail accounts -including one known for belonging to an economically motivated threat actor.
“We are currently observing a high-volume email campaign launched from hundreds of compromised accounts, and our original analysis confirms that at least one of these accounts has previously been associated with Fin11 activity, said a long-term financial motivated threat group known for implementing ransomware and engaging in testing,” Carmacal said.
At the same time, E emails held contact addresses previously listed on CL0P’s data leakage site, so it is possible that both groups are involved in the campaign or simply sharing resources. However, the evidence is not compelling enough to confirm the links.
In any case, researchers recommend all users to look at their Oracle E-Business Suite Platform’s logs for unusual or shady access.
Via Bleeping computer
