Oracle E-Business Suite customers targeted in extortion email campaign
Take action: If you haven't applied the July 2025, Oracle E-business patches, time to start a systematic effort now. It's possible some attackers found a way to exploit them. Even if they didn't, patching is still a smart choice.
Learn More
Oracle customers are being targeted in a large-scale campaign in which senders claiming affiliation with the notorious Clop ransomware group are bombarding executives with emails alleging widespread data theft from Oracle E-Business Suite systems.
The campaign began around September 29, 2025 is an attempt to pressure organizations into paying ransom demands, even though security researchers have not yet confirmed whether any actual data breach has occurred.
Mandiant and Google Threat Intelligence Group are investigating this attack. The malicious emails contain contact information that researchers have verified as being publicly listed on Clop's data leak site. Charles Carmakal, CTO of Mandiant Consulting, confirmed that initial analysis has also linked at least one of the compromised email accounts to FIN11, a long-running financially motivated threat group essentially synonymous with Clop operations.
Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails. “Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” per a blog post by Rob Duhart, chief security officer at Oracle Security.
Oracle doesn't clarify which vulnerabilities are actively exploited or whether its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite.
The method of compromise and whether actual unauthorized access occurred is not clear. The number of potentially affected individuals or organizations is not declared by the hackers.
According to cybersecurity firm Halcyon, which is also responding to the campaign, threat actors have demanded ransoms of up to $50 million in at least one case. The observed extortion emails do not contain specific ransom amounts. Only pressure messages for victims to contact the threat group to begin negotiations.
“But, don’t worry, You can always save your data for payment. We do not seek political power or care about any business. We always fulfil all promises and obligations,” the email said. “We are not interested in destroying your business. We want to take the money and you not hear from us again.”
What distinguishes this campaign from typical Clop operations is the absence of any public data leaks. Unlike previous mass exploitation. This current activity appears limited to email-based extortion without supporting evidence.
Mandiant and Google recommend that organizations receiving these extortion emails immediately investigate their Oracle E-Business Suite environments for any signs of unusual access or compromise. Security teams should review authentication logs for anomalous activity, assess access controls, and implement enhanced monitoring mechanisms to detect potential breaches.
