Sophisticated Malware Deployed in Oracle EBS Zero-Day Attacks

Google Threat Intelligence Group (GTIG) and Mandiant have continued to analyze the recent Oracle E-Business Suite (EBS) extortion campaign and their researchers have identified some of the pieces of malware deployed in the attacks.

The attacks came to light on October 2, when GTIG and Mandiant warned that executives at many organizations using Oracle EBS had received extortion emails. It has since been determined that hackers likely exploited known EBS vulnerabilities patched in July, likely along with a zero-day flaw tracked as CVE-2025-61882.

The hacker groups ShinyHunters and Scattered Spider (now calling themselves Scattered LAPSUS$ Hunters) have published a proof-of-concept (PoC) exploit that appears to target CVE-2025-61882, but it’s still unclear which other CVEs are involved in the exploit chain. It’s worth noting that even on its own, according to Oracle, CVE-2025-61882 allows unauthenticated remote code execution.

CrowdStrike has found evidence that exploitation of CVE-2025-61882 started on August ...