Google, Mandiant expose malware and zero-day behind Oracle EBS extortion

Google and Mandiant analyzed an Oracle E-Business Suite extortion campaign, revealing the use of malware exploiting July-patched flaws and a likely zero-day vulnerability (CVE-2025-61882). Attackers, likely the Cl0p ransomware group, used stolen credentials to extort executives, claiming to have stolen Oracle EBS data. The exploitation of CVE-2025-61882 began on August 9, with signs of earlier activity on July 10, just before Oracle’s July patches.