Threat Intel Content Update: 10/8/2025

Clop Ransomware-Linked Exploit Activity (Oracle E-Business Suite)

Threat Profiles & Threat Objects

• • "Trending & Emerging Threats” weekly update: Clop Ransomware-Linked Exploit Activity (Oracle E-Business Suite)
    • Actors used a suspected zero-day (previously undisclosed) exploit to compromise vulnerable Oracle EBS instances, allowing them to collect and exfiltrate large volumes of sensitive data. Actors sent extortion emails to senior executives at impacted organizations threatening to leak the data if a ransom wasn’t paid.
      • The actors claimed to be part of “Clop team”. Clop is a longstanding cybercrime operation that was traditionally associated with ransomware, although its actors recently have focused on stealing data rather than encrypting it. Researchers separately attributed the recent campaign to FIN11 and to GRACEFUL SPIDER (TA505), which are related but likely distinct threat clusters.
    • The primary relevant Tidal object is a new Campaign, but we added and updated others (including Procedures) related to this activity.
    • We featured the Campaign in this week’s update to our “Tidal Spotlight” curated Threat Profile, and updated a more broadly scoped “Clop Extortion Ecosystem” Threat Profile first published earlier this year.
      
      
  • Added a Campaign, Group, and Procedures around an apparent breach impacting the Red Hat open-source software company.
    • The incident was likely smaller-scale than initially reported, although it reiterates risks from storing tokens/credentials in repositories, a key factor in the Salesloft Drift data theft incident that gained considerable attention several weeks ago.