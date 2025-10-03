The campaign, first identified in late September, involves high-volume email activity from hundreds of compromised accounts. The attackers allege they have stolen data from Oracle E-Business Suite environments and are demanding ransom payments, though investigators say there is no current evidence that the claims are genuine.

In a statement shared with Capacity, Genevieve Stark, head of cybercrime and information operations intelligence analysis at Google Threat Intelligence Group said: “This activity began on or before September 29, 2025, but Mandiant’s experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group.”

According to Charles Carmakal, chief technology officer at Mandiant at Google Cloud:

“Mandiant and Google Threat Intelligence Group are actively tracking recent activity involving an actor claiming affiliation with the Clop extortion group.

"We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion.

"The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site.

"This move strongly suggests there’s some association with Clop and they are leveraging the brand recognition for their current operation.”

Carmakal added that while the tactics align with an extortion motive, Google has not found sufficient evidence to confirm the veracity of the group’s claims. He noted that attribution in financially motivated cybercrime is often complex, with actors frequently mimicking established groups to heighten pressure on potential victims.

Oracle confirmed that some customers using its E-Business Suite have received such emails but stressed that it has found no indication of a breach within its own systems. The company said it continues to advise clients to apply the latest security updates and monitor for suspicious access activity.

Google said its threat-intelligence teams are continuing to monitor the situation closely and are working with affected organisations to assess potential exposure.

“We recommend targeted organisations investigate their environments for evidence of threat actor activity,” Carmakal added.At the time of writing, neither Mandiant nor Oracle has identified any confirmed victim breaches resulting from the campaign.

However, both companies continue to advise customers to remain vigilant, apply the latest patches, and follow best-practice guidance for incident response.

