"Mandiant CTO Charles Carmakal described the ongoing activity as a "high-volume email campaign" that's launched from hundreds of compromised accounts, with evidence suggesting that at least one of those accounts has been previously associated with activity from FIN11, which is a subset within the TA505 group. FIN11, per Mandiant, has engaged in ransomware and extortion attacks as far back as 2020. Previously, it was linked to the distribution of various malware families like FlawedAmmyy, FRIENDSPEAK, and MIXLABEL."
"The malicious activity involves sending extortion emails to executives at various organizations and claiming to have stolen sensitive data from their Oracle E-Business Suite. "This activity began on or before September 29, 2025, but Mandiant's experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group," Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, told The Hacker News in a statement."
Google Mandiant and Google Threat Intelligence Group (GTIG) are tracking a cluster of activity possibly linked to Cl0p. Actors send extortion emails to executives claiming theft of sensitive data from Oracle E-Business Suite. Mandiant describes a high-volume email campaign launched from hundreds of compromised accounts, with at least one account previously associated with FIN11, a subset of TA505. FIN11 has conducted ransomware and extortion since 2020 and previously distributed malware families including FlawedAmmyy, FRIENDSPEAK, and MIXLABEL. Malicious emails include contact addresses that match entries on the Cl0p data leak site, suggesting possible association, while initial access methods remain unclear and definitive links are unconfirmed.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]