Sophisticated Malware Deployed in Oracle EBS Zero-Day Attacks

Sophisticated Malware Deployed in Oracle EBS Zero-Day Attacks

Briefly

"Google Threat Intelligence Group (GTIG) and Mandiant have continued to analyze the recent Oracle E-Business Suite (EBS) extortion campaign and their researchers have identified some of the pieces of malware deployed in the attacks. The attacks came to light on October 2, when GTIG and Mandiant warned that executives at many organizations using Oracle EBS had received extortion emails. It has since been determined that hackers likely exploited known EBS vulnerabilities patched in July, likely along with a zero-day flaw tracked as CVE-2025-61882."

"The hacker groups ShinyHunters and Scattered Spider (now calling themselves Scattered LAPSUS$ Hunters) have published a proof-of-concept (PoC) exploit that appears to target CVE-2025-61882, but it's still unclear which other CVEs are involved in the exploit chain. It's worth noting that even on its own, according to Oracle, CVE-2025-61882 allows unauthenticated remote code execution. CrowdStrike has found evidence that exploitation of CVE-2025-61882 started on August 9."

"A blog post published on Thursday by GTIG and Mandiant reveals that some suspicious activity was seen as early as July 10, right before Oracle published its July patches. GTIG and Mandiant have not obtained definitive proof, but they say it's plausible that the July 10 activity was an early attempt to exploit EBS servers. GTIG and Mandiant researchers have also analyzed the exploit chain and malware deployed in the Oracle EBS campaign."