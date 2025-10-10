The Clop ransomware group likely began targeting Oracle E-Business Suite (EBS) instances as early as August 9, successfully exfiltrating a “significant amount” of data new insights from Google Threat Intelligence Group (GTIG) and Mandiant have revealed.

An individual or group of people claiming to be working with the Clop ransomware was observed sending extortion emails to executives at several organizations since September 29.

Google noted that the extortion campaign followed months of intrusion activity by the threat actor and exploitation of the zero-day CVE-2025-61882 began before patches were available.

Similarities and Overlap with Clop Activities

GTIG analysis, published on October 9, highlighted several indicators that Clop, also tracked as FIN11, was behind the extortion campaign.

The contact addresses listed in the extortion emails sent to executives, support@pubstorm.com and support@pubstorm.net, have been listed on the Clop data leak site (DLS) since at least May 2025.

To substantiate their claims, the threat actor has provided legitimate file listings from victim EBS environments to multiple organizations with data dating back to mid-August 2025.