Oracle Hack Confirmed by Google, Over 100 Companies Affected

After weeks of ongoing developments relating to the Salesforce data breach, Google has confirmed that Oracle’s E-Business Suite (EBS) has been compromised due to a vulnerability in the system.

The hack has been linked to the cybercrime group “CL0P”, a Russian-speaking collective known for highly effective, large-scale extortion campaigns against corporations and government agencies.

Executive Extortion Campaign

Starting on September 29, Google’s Threat Intelligence Group (GTIG) began tracking suspicious activity linked to the CL0P group. This was brought to light when a large number of executives at numerous organizations received emails confirming the sensitive data that was stolen in the attack, as well as details around the extortion.

Oracle confirmed on October 2 that the actors may have exploited vulnerabilities that were patched in July 2025. On October 4, Oracle directed customers to apply updates provided by the following security alert as soon as possible: Oracle Security Alerts CVE-2025-61882

Unlike the Salesforce incident, this appears to involve an actual vulnerability in Oracle’s software. Salesforce, on the other hand, maintains that there has been no breach of its own platform – only of customer orgs that were compromised due to misconfigurations.

How Does It Work?

Once they gain a foothold, the attackers deploy Java-based implants (e.g. GOLDVEIN, SAGEGIFT, SAGEWAVE) that blend in-memory execution, dynamic filters, and template-based payload delivery through the database. 

In some cases, they operate under the “applmgr” account, carry outbound calls to command-and-control servers, and exfiltrate data stealthily. 

Although Google has not yet observed many victims publicly listed on the CL0P data leak site, this is typical of CL0P’s modus operandi: delay the data publication until after ransom negotiations.

Oracle EBS remains a core ERP and enterprise operations platform for many organizations, making each exploited system a high-value target. The use of zero-days, in-memory exploits, and database-native payloads shows a sophisticated attacker approach that reduces reliance on broad lateral movement. 

This playbook – exploit, steal, extort – isn’t new for CL0P or threat groups like FIN11. But applying it to enterprise apps like Oracle EBS shows an escalation in ambition and risk.

Final Thoughts 

It’s fair to say that 2025 has been a bad year for enterprise security. Within days of hackers announcing the theft of over 1 billion Salesforce records, this confirmation of a large-scale hack from Google and Oracle shows that they are not slowing down.

The Oracle data breach stands out because it’s not simply a case of misconfigurations or weak passwords, it’s a real software flaw, and one that is likely to have impacted upwards of 100 companies.