"Google's Threat Intelligence Group (GTIG) and Mandiant are tracking the "high-volume" activity, which began last month, and are investigating whether there is any truth to the attackers' boasts. In a statement to The Register, Genevieve Stark, head of cybercrime and information operations intelligence analysis at GTIG, said: "This activity began on or before September 29, 2025, but Mandiant's experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group.""
"Mandiant CTO Charles Carmakal told The Register that two specific contact addresses used in the malicious emails are publicly listed on Clop's dark web leak site. "This move strongly suggests there's some association with Clop and they are leveraging the brand recognition for their current operation," he added. Google and Mandiant have not identified evidence of a vulnerability or breach in Oracle's E-Business Suite, a widely used enterprise resource planning (ERP) platform that manages financials, human resources, and supply chain operations."
Threat actors claiming links to the Clop ransomware group are sending high-volume extortion emails to Oracle executives alleging theft of sensitive E-Business Suite data. Google's Threat Intelligence Group (GTIG) and Mandiant are tracking the activity and investigating the attackers' assertions. GTIG reported activity beginning on or before September 29, 2025, and Mandiant has not substantiated the claims. Analysts note possible Clop association because two contact addresses used in the emails appear on Clop's dark web leak site. Unlike prior Clop operations that publicly leaked stolen data, the current campaign so far only involves email-based extortion and lacks proof of a breach.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]