- The pirates claim to have stolen data from the Business Oracle suite, demanding the ransom of managers
- Campaign linked to the end11 and possibly to CL0P, using hundreds of compromise messaging accounts
- No proof of data theft still; Researchers encourage the Oracle newspapers for a suspicious activity
Cybercriminals send managers from various American organizations, claiming to have stolen files sensitive to their oracle e-business systems, and most likely demanding payment in exchange to keep the files out of the reach of the public.
“This activity began on September 29, 2025 at the latest on September 29, but mandating experts are still at the early stages of several investigations, and have not yet supported the assertions made by this group,” said Geneviève Stark, head of cybercrime and information operations, an analysis of Google intelligence at the end of Google’s intelligence.
In other words, there is always no evidence that what these hackers say is true. Sometimes the crooks were just trying to bluff their way in sending money, and it would certainly not be the first time that it happens.
Links to end11 and CL0P
What makes this campaign interesting is its link with different hacking collectives.
According to Charles Carmakal, CTO of Mandiant – Google Cloud, the emails are sent from hundreds of compromised messaging accounts – of which a known to belong to a financially motivated threat actor.
“We are currently seeing a high volume email campaign from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts was previously associated with the end11 activity, a group of financially motivated threats known to deploy ransomware and engage in extortion,” said Carmakal.
At the same time, emails held contact addresses which were previously listed on the CL0P data leak site, it is therefore possible that the two groups are involved in the campaign or simply share resources. The evidence is not, however, convincing enough to confirm the links.
In all cases, researchers recommend that all users consult the newspapers of their Oracle E-Business platform Suite for unusual or shaded access.
Via Bleeping Compompute
