01.10.2025
2 min
576
In September, companies around the world began receiving mass emails from the Clop group, containing threats and claims of data theft from Oracle E-Business Suite. Although the evidence has not yet been confirmed, the incident has raised serious concerns among cybersecurity experts.
According to Mandiant and Google GTIG, the campaign began on September 29, 2025. The emails were sent from hundreds of compromised accounts, which allowed them to avoid blocking in the early stages. In some cases, the addresses matched contacts published on the Clop leak site. Charles Carmakal, CTO of Mandiant, noted that one of the accounts had already been linked to the activities of the FIN11 group, known for its ransomware. Despite the similarity of tactics, experts have not yet confirmed the actual theft of data from Oracle systems.
Mandiant and GTIG recommend that companies that receive such emails check their Oracle E-Business Suite environments for unusual access and signs of compromise.
Clop (TA505, FIN11) has been operating since 2019 and specializes in attacks on large corporate networks. Their approach is to steal data before encrypting systems in order to force companies to pay twice: for a decryptor and for “silence”.
The most famous Clop attacks:
2020 — zero-day in Accellion FTA, ~100 victims.
2021 — attack via SolarWinds Serv-U.
2023 — exploitation of GoAnywhere MFT, 100+ companies.
2023 MOVEit Transfer — large-scale campaign, 2,700+ organizations.
2024 — double zero-day in Cleo.
The US has announced a $10 million reward for confirmation of Clop’s connection to government agencies.
Although the fact of data theft has not yet been proven, the wave of blackmail emails demonstrates Clop’s readiness for new large-scale attacks. Companies need to act proactively: check Oracle infrastructure, strengthen monitoring and train personnel. Any negligence can be costly.
