Clop Attacks Against Oracle E-Business Suite Trace to July

Signs Point to Multiple Exploit Chains, One Including a Zero-Day, Being Employed Mathew J. Schwartz (euroinfosec) • October 9, 2025

Attacks targeting Oracle E-Business Suite customers appear to have started months before finally being detected.

See Also: Why Cyberattackers Love 'Living Off the Land'

The attacks first came to light on Sept. 29, when attackers claiming to be affiliated with the Russian-speaking Clop - aka Cl0p - ransomware group began emailing victims, threatening to leak stolen data unless they paid cryptocurrency ransoms worth up to $50 million (see: Extortionists Claim Mass Oracle E-Business Suite Data Theft).

Evidence now suggests the attack campaign may have begun as early as July 10 and that "in some cases, the threat actor successfully exfiltrated a significant amount of data from impacted organizations," reported threat researchers at Google Cloud on Thursday.

Investigators found suspicious activity dating back nearly three months ago but no active exploitation ...