Google Mandiant and Google Threat Intelligence Group (GTIG) disclosed that they are actively tracking a new cluster of activity possibly linked to the financially motivated threat actor known as Cl0p.
The threat actor carries out the campaign by sending extortion emails to executives at various organizations, claiming to have stolen sensitive data from their Oracle E-Business Suite.
“This activity began on or before September 29, 2025, but Mandiant’s experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group,” Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, told The Hacker News in a statement.
Mandiant CTO Charles Carmakal described the ongoing activity as a “high-volume email campaign” launched from hundreds of compromised accounts. He also explained that evidence suggests at least one of those accounts previously linked to activity from FIN11, a subset within the TA505 group.
Mandiant noted that FIN11 has conducted ransomware and extortion attacks since 2020. The group previously distributed several malware families, including FlawedAmmyy, FRIENDSPEAK, and MIXLABEL.
“The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Cl0p data leak site (DLS),” Carmakal added. “This move strongly suggests there’s some association with Cl0p, and they are leveraging the brand recognition for their current operation.”
Even so, Google emphasized that it has not found direct evidence to confirm the alleged ties, despite similarities to past Cl0p attacks. The company also urged organizations to investigate their environments for any signs of threat actor activity.
At this stage, investigators still cannot determine how attackers gain initial access. However, Bloomberg reported that the attackers compromised user emails and abused the default password reset function to acquire valid credentials for internet-facing Oracle E-Business Suite portals, citing information from Halcyon.
The Hacker News has reached out to Oracle for further comment about the extortion campaign and will update the story if the company responds.
In recent years, the highly prolific Cl0p group carried out multiple attack waves by exploiting zero-day flaws in Accellion FTA, SolarWinds Serv-U FTP, Fortra GoAnywhere MFT, and Progress MOVEit Transfer platforms, successfully breaching thousands of organizations.
Source: TheHackerNews
Read more at Impreza News
