Executive extortion campaign claims Oracle EBS data theft

For the latest developments, please refer to our update published October 8, 2025.

On October 2, 2025, multiple cybersecurity outlets reported on a high-volume email-based extortion campaign targeting executives at large enterprises. These outlets quote Google’s Threat Intelligence Group (GTIG) executives, who confirmed that the campaign began on or before September 29, 2025.

The campaign involves emails claiming to have stolen sensitive data from Oracle E-Business Suite (EBS) environments. Some sources suggested the threat actors abused password-reset functions on internet-facing EBS portals to gain access to credentials of individual users and use their accounts for this campaign.

Researchers reported that some of the email accounts used by the threat actors are linked to FIN11, a financially motivated threat actor group previously linked to Clop. Clop ransomware group is known for exploiting zero-day vulnerabilities in enterprise software and conducting mass data theft campaigns.

Oracle E-Business Suite is a widely deployed enterprise resource planning (ERP) platform used to manage financials, human resources, supply chain, and customer relationship data.

Oracle has not confirmed any breach or vulnerability in EBS. Mandiant and Google have not found technical evidence of compromise, and no data has been publicly leaked to substantiate the attackers’ claims.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

In this campaign, the actors appear to be leveraging brand recognition and urgency to pressure victims, rather than demonstrating verified data exfiltration. The emails target executives directly, suggesting a strategic attempt to provoke payment decisions without technical evidence.

The impact remains speculative, but if the claims were valid, compromised data could include payroll records, contracts, and financial information from global enterprises.

One plausible vector for unauthorized access is the use of valid credentials obtained from cybercriminal marketplaces. These credentials may originate from prior breaches or phishing campaigns and allow attackers to log in as legitimate users. This tactic bypasses traditional perimeter defenses and complicates detection.

Abuse of password-reset functions on externally exposed Oracle EBS portals could further enable access, especially in environments with password reuse across systems or lack of multi-factor authentication. 

Organizations using Oracle EBS, particularly those with internet-facing portals and default configurations, are advised to assess exposure. Monitoring for unusual login activity, especially from unexpected geographies or during off-hours, can help identify credential-based intrusions.

Validating email headers and metadata from executive-targeted extortion messages may assist in attribution and containment. Incident response teams should be engaged to evaluate credential hygiene, reset workflows, and prepare communication protocols in case of direct contact from threat actors.