Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025, Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday.
"We're still assessing the scope of this incident, but we believe it affected dozens of organizations," John Hultquist, chief analyst of GTIG at Google Cloud, said in a statement shared with The Hacker News. "Some historic Cl0p data extortion campaigns have had hundreds of victims. Unfortunately, large-scale zero-day campaigns like this are becoming a regular feature of cybercrime."
The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashioned together multiple distinct vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to breach target networks and exfiltrate sensitive data. Google said it found evidence of additional suspicious activity dating back to July 10, 2025, although how successful these efforts were remains unknown. Oracle has since issued patches to address the shortcoming.
Cl0p (aka Graceful Spider), active since 2020, has been attributed to the mass exploitation of several zero-days in Accellion legacy file transfer appliance (FTA), GoAnywhere MFT, Progress MOVEit MFT, and Cleo LexiCom over the years. While phishing email campaigns undertaken by the FIN11 actors have acted as a precursor for Cl0p ransomware deployment in the past, Google said it found signs of the file-encrypting malware being a different actor.
