Hackers successfully breached the financial systems of dozens of major companies by exploiting a previously unknown security flaw in Oracle’s widely used E-Business Suite. The attacks, which began months ago, deployed highly advanced, ‘fileless’ malware to steal vast amounts of sensitive data from vulnerable databases before demanding ransom from targeted executives
The Zero-Day and the Scope of the Breach
The attacks were brought to light by the Google Threat Intelligence Group (GTIG) and Mandiant after corporate leaders using the Oracle E-Business Suite (EBS)—a common tool for managing large companies’ finances—began receiving extortion emails. The core issue was a highly critical security flaw, tracked as CVE-2025-61882, which Oracle had not yet fixed. This type of vulnerability, known as a “zero-day,” allows hackers to execute unauthorized code on a target’s system without needing a password.
Security researchers confirmed that the campaign successfully compromised dozens of organizations, enabling the cybercriminals to steal significant amounts of data. The scale and sophistication of the operation immediately signaled the involvement of a major, well-resourced threat actor.
A ‘Fileless’ Arsenal: GoldVein and the Sage Chain
To carry out the theft, the attackers used unusually sophisticated, multi-stage malware that was designed specifically to avoid detection. Instead of installing traditional software files, the hackers planted a malicious template within the vulnerable Oracle EBS databases.
Researchers identified two main families of these tools, both described as fileless malware because they reside in memory or the database structure, making them difficult for standard security software to spot. One payload, dubbed GoldVein.Java, acted as a downloader to fetch a second-stage weapon.
The second family was a complex, multi-layered chain of Java programs:
- SageGift (a loader) started the process.
- SageLeaf (a dropper) followed, planting the next element.
- SageWave (a servlet filter) was the final deployment mechanism, giving the hackers persistent access and enabling the ultimate data theft.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Extortion and the Trail to FIN11
The ultimate goal of the operation was financial. Once the data was stolen, the hackers sent extortion emails directly to company executives, demanding payment to prevent the data from being released publicly. The emails attempted to use the reputation of the notorious ransomware group Cl0p, a tactic often employed to maximize fear and compliance.
However, forensic analysis by Mandiant and GTIG found the digital fingerprints of a different, but equally dangerous, group: the cybercrime collective known as FIN11. This group is infamous for large-scale data theft campaigns, and the methods and tools used in the Oracle attack strongly mirrored previous operations linked to the gang. FIN11 has a history of targeting widely used business software with zero-day flaws to maximize their victim count.
Exploitation Began Before the Fix
One of the most concerning revelations was the timeline of the attack. While the Oracle EBS vulnerabilities only came to public light in early October, evidence suggests that the exploitation of the zero-day flaw may have begun as early as July 10, 2025.
This timing is critical because it occurred just before Oracle released its scheduled security patches for other vulnerabilities in July. This implies the hackers were either testing their zero-day exploit or actively compromising systems for two months before security experts became aware of the threat, granting the cybercriminals a significant, undetected head start. The full extent of the data stolen and the number of organizations affected is still under investigation
