Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems
According to Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, the campaign began in late September.
"This activity began on or before September 29, 2025, but Mandiant's experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group," Stark said.
Charles Carmakal, CTO of Mandiant – Google Cloud, stated that the extortion emails are being sent from a large number of compromised email accounts.
"We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion," Carmakal explained.
Mandiant and GTIG report that the emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site, indicating a possible link to the extortion group.
However, Carmakal says that while the tactics are similar to Clop's previous extortion campaigns and the email addresses indicate a potential link, there is not enough evidence to determine if data has actually been stolen.
Mandiant and GTIG recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms.
BleepingComputer contacted the Clop ransomware gang to confirm if they are behind the extortion emails, but has not received a response at this time.
We have also contacted Oracle to determine if they are aware of any recent zero-day exploitation that may have led to the theft of data.
... continue reading