- Computer pirates claim to have stolen the Oracle E-Business Suite data, demanding the rescue of executives
- Campaign linked to end11 and possibly CL0P, using hundreds of compromised email accounts
- There is no data theft test yet; Researchers urge the verification of Oracle records for suspicious activities
Cybercriminals are sending executives in several US organizations, claiming to have stolen confidential files from their Oracle E-Business Suite systems, and most likely demanding a payment in exchange for maintaining files out of the public’s reach.
“This activity began on September 29, 2025 or before, but Mandiant experts are still in the early stages of multiple investigations, and have not yet justified the statements made by this group,” said Genevieve Stark, head of cybercrime and information intelligence analysis in the GOOGLE threat intelligence group (GTIG), which together with Mandiant, has been in a monitor 2025.
In other words, there is still no evidence that what these hackers say are true. Sometimes, criminals simply tried to boast that money would be sent to me, and this would certainly not be the first time it happened.
Links to end11 and CL0P
What makes this campaign interesting is its link to different piracy groups.
According to Charles Carmakal, CTO de Mandiant – Google Cloud, emails are sent from hundreds of compromised email accounts, including one that is known to belong to a threat actor with financial motivation.
“We are currently observing a high -volume email campaign that is being launched from hundreds of committed accounts and our initial analysis confirms that at least one of these accounts has previously been associated with the end of the end11, a group of long -term threats with financial motivation known for deploying ransomware and participating in extortion,” said Carmakal.
At the same time, emails contained contact addresses that were previously listed on the CL0P data leakage site, so it is possible that both groups are involved in the campaign or simply share resources. However, evidence is not convincing enough to confirm the links.
In any case, researchers recommend all users to analyze the records of their Oracle E-Business Suite platform for unusual or shading access.
Through Bleepingcomputer
