By |Last Updated: November 28th, 2025|10 min read|Categories: Exploits, Ransomware, Variants|

Contents

A notorious ransomware and extortion gang known as Clop (aka Cl0p) has unleashed its latest campaign, this time exploiting a zero-day vulnerability in Oracle’s E-Business Suite (EBS) software. Starting in late September 2025, executives at dozens of organizations began receiving extortion emails from Clop, claiming the cybercriminals had breached their Oracle EBS systems and stolen sensitive data.

Oracle EBS is a widely used enterprise resource planning platform, managing business data like customer records, HR files, and financial information. By breaching a common platform, Clop was able to hit many companies at once, marking a continuation of its playbook of mass exploitation of third-party software vulnerabilities.

In August 2025 they quietly exploited an Oracle EBS zero-day vulnerability (CVE-2025-61882) to gain access to Oracle customers’ data. They remained undetected for weeks, exfiltrating large volumes of files. Then on September 29, 2025, Clop blasted out hundreds of extortion emails using compromised email accounts, demanding ransom payments from victim organizations under threat of leaking stolen data.

To prove their claims, the cybercriminals even provided file directory listings from the Oracle systems, showing they truly had access. Initially, Oracle believed the attackers had only used already-patched vulnerabilities from earlier in the year, but it soon became clear a new zero-day exploit was involved. Oracle released emergency patches in early October once they confirmed the vulnerability was unknown and actively exploited.

Who Was Hit? From Universities to Enterprises

Clop Oracle Quote

Within weeks of the extortion campaign, Clop’s leak site began naming alleged victims of the Oracle EBS breach. Nearly 30 organizations have been listed on Clop’s site so far.

These include major enterprises and institutions: for example, tech manufacturer Logitech, industrial giants Schneider Electric and Emerson, mining firm Pan American Silver, automotive supplier LKQ Corporation, HVAC firm Copeland, and media conglomerate Cox Enterprises, among others.

Clop even named Harvard University and South Africa’s Wits University, showing that educational institutions were not spared. While many listed companies stayed silent initially, a few high-profile victims have now publicly confirmed breaches tied to this campaign.

One of the first to acknowledge the impact was Harvard University, which confirmed that a zero-day in Oracle EBS was used to steal data associated with a small administrative unit at the university. Harvard applied Oracle’s patch as soon as it was available and emphasized that the issue was part of a broader campaign affecting many organizations, not just Harvard.

Similarly, American Airlines’ subsidiary Envoy Air disclosed that its Oracle EBS system was compromised. Envoy’s investigation found no customer data exposed, only a limited amount of business and contact information, but Clop still leaked Envoy’s internal files on its site. Clop had initially listed the breach under American Airlines’ name, a tactic the gang often uses – naming a well-known parent company to pressure the victim, even if the breach was limited to a subsidiary.

Another notable victim was The Washington Post. In early November 2025, the newspaper confirmed it was one of those impacted by the breach of the Oracle E-Business Suite platform, after Clop added the Washington Post to its victim blog. The Post did not share details of the stolen data, but its public acknowledgment infers the wide reach of this attack.

GlobalLogic, a digital engineering firm owned by Hitachi, also revealed that it was hit. In breach notification filings, GlobalLogic reported that personal data of nearly 10,500 current and former employees, including names, contact info, birth dates, passport and Social Security numbers, and bank details, were exposed through the Oracle EBS hack.

These confirmations from Harvard, Envoy Air, the Washington Post, and GlobalLogic make clear that the Clop campaign affected a wide cross-section of industries, from education and media to aviation and tech consulting.

Clop’s leak site suggests even more organizations have been hit, and cybersecurity analysts estimate over 100 companies may have been impacted in total. As is common with ransomware extortion, Clop tends to publicly name victims (and even publish stolen files) if the targeted organization refuses to pay.

Some victims likely paid Clop to keep their data private, while others are quietly investigating before making any public statements. The fallout is still unfolding, but the confirmed breaches so far paint a picture of a far-reaching supply chain style attack with serious data exposure.

Read on to the end of this blog to see the updated list of organisations Clop has alleged as victims in this campaign.

A Pattern of Targeting Widely Used Platforms

Clop has built a reputation for one-to-many attacks by exploiting vulnerabilities in software used across multiple organizations. Rather than hacking individual companies one at a time, Clop often finds a weak link in a common platform, breaks into many organizations through that same vulnerability, steals data, and then issues ransom demands en masse.

In early 2023, Clop hackers abused a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) software to breach over 100 companies in one campaign. Just a few months later, Clop conducted its most extensive attack to date by exploiting a vulnerability in Progress Software’s MOVEit Transfer platform.

That MOVEit campaign resulted in data theft from a staggering 2,773 organizations worldwide. Victims of the MOVEit hack ranged from energy firms and banks to universities and government agencies, showing how a single software vulnerability can have global ripple effects.

Clop has also been linked to earlier supply chain style breaches: a late 2020 exploit of the Accellion File Transfer Appliance impacted around 100 organizations, and a 2021 zero-day in SolarWinds’ Serv-U FTP software was similarly leveraged for data theft. Even in 2024, Clop continued this trend by exploiting vulnerabilities in the Cleo file transfer platform to extort companies.

Their focus on high value data repositories and applications (like file transfer systems or ERP suites) means they can steal large troves of sensitive information quickly, without having to spend time on lateral movement through a network.

Conclusion – Data Exfiltration Enabled Clop’s Attack

Oracle’s EBS is a backbone system for many large enterprises and public sector organizations. That made it a jackpot target for Clop. By weaponizing an ERP platform used by hundreds of big organizations, the attackers maximized their reach and potential payout.

Oracle released patches for the EBS zero-day in October, but evidence suggests Clop had been exploiting it since July. This lag gave the adversaries a multi-month window to harvest data uninterrupted.

If organizations had deployed an endpoint anti data exfiltration (ADX) solution such as BlackFog, many of the behaviors involved in these intrusions would likely have been detected, disrupted, or fully prevented.

ADX solutions monitor outbound traffic, block unauthorized data flows, and intervene before sensitive information can leave the environment. This makes them one of the few controls designed specifically to counter the techniques Clop depends on.

https://www.blackfog.com/anti-data-exfiltration-demo/

Updated Victim Listings

Since we posted this blog covering Cl0p’s “Oracle wave,” the group’s leak-site has continued to add names and more organisations have come forward publicly. Below is an updated list of alleged victims associated with this extortion campaign. We will keep this list updated as new victims are claimed or confirmed.

October

November

Last Updated: 11/28/2025 11:50GMT

Share This Story, Choose Your Platform!

Related Posts