Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign

    Friday, October 10, 2025 In: Threat Research Print

    Date: 10/10/2025

    Severity: High

    Summary

    Beginning in late September 2025, a threat actor linked to the CL0P extortion group launched a large-scale campaign targeting organizations using Oracle E-Business Suite (EBS). The attackers claimed to have stolen sensitive data and used email-based extortion tactics against executives. Investigations revealed the exploitation of a zero-day vulnerability, likely CVE-2025-61882, which was abused as early as August 9, 2025, before a patch was available. Oracle released critical and emergency patches in response. The campaign involved a multi-stage Java implant framework and showed signs of earlier intrusion activity dating back to July 2025.

    Indicators of Compromise (IOC) List

    URLs/Domains

    breachforums.hn

    pubstorm.com

    pubstorm.net

    santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72z

    /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG...

    /OA_HTML/configurator/UiServlet

    /OA_HTML/SyncServlet

    /help/state/content/destination./navId.1/navvSetId.iHelp/

    /support/state/content/destination./navId.1/navvSetId.iHelp/

    IP Address

    200.107.207.26

    161.97.99.49

    162.55.17.215

    104.194.11.200

    185.174.100.242

    185.181.60.11

    185.80.234.254

    192.241.102.198

    85.17.28.253

    95.217.144.48

    31.210.170.160

    64.20.35.130

    Hash : 

    23094d64721a279c0ce637584b87d6f1

    b296d3b3115762096286f225696a9bb1

    d3bbb54a9e93f355f7830e298a99161d

    e278700f827590c1dff9e24116bde4da

    f90ac7ef934cb7d4d5e7f21338961727ca72fa6d

    99c208a55513bde70d4322fdcab86c8cb4188616

    4871816be6a1128d2cf2f516788a6b8bc39b0d60

    76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d

    aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121

    6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b

    Emails

    support@pubstorm.com

    support@pubstorm.net

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "pubstorm.net" or siteurl like "pubstorm.net" or url like "pubstorm.net" or domainname like "pubstorm.com" or siteurl like "pubstorm.com" or url like "pubstorm.com" or domainname like "breachforums.hn" or siteurl like "breachforums.hn" or url like "breachforums.hn" or domainname like "santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72z" or siteurl like "santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72z" or url like "santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72z"

    Detection Query 2 :

    siteurl like "/OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG..." or url like "/OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG..." or siteurl like "/OA_HTML/configurator/UiServlet" or url like "/OA_HTML/configurator/UiServlet" or siteurl like "/OA_HTML/SyncServlet" or url like "/OA_HTML/SyncServlet" or siteurl like "/help/state/content/destination./navId.1/navvSetId.iHelp/" or url like "/help/state/content/destination./navId.1/navvSetId.iHelp/" or siteurl like "/support/state/content/destination./navId.1/navvSetId.iHelp/" or url like "/support/state/content/destination./navId.1/navvSetId.iHelp/"

    Detection Query 3 :

    dstipaddress IN ("200.107.207.26","161.97.99.49","162.55.17.215","104.194.11.200","185.174.100.242","185.181.60.11","185.80.234.254","192.241.102.198","85.17.28.253","95.217.144.48","31.210.170.160","64.20.35.130") or srcipaddress IN ("200.107.207.26","161.97.99.49","162.55.17.215","104.194.11.200","185.174.100.242","185.181.60.11","185.80.234.254","192.241.102.198","85.17.28.253","95.217.144.48","31.210.170.160","64.20.35.130")

    Detection Query 4 :

    md5hash IN ("23094d64721a279c0ce637584b87d6f1",.234.254","192.241.102.198","85.17.28.253","95.217.144.48","31.210.170.160","64.20.35.130")

    Detection Query 5 :

    sha1hash IN ("b296d3b3115762096286f225696a9bb1","d3bbb54a9e93f355f7830e298a99161d","e278700f827590c1dff9e24116bde4da")

    Detection Query 6 :

    sha256hash IN ("6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f01","76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72","aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6")

    Detection Query 7 :

    sender IN ("support@pubstorm.com","support@pubstorm.net") OR recipients IN ("support@pubstorm.com","support@pubstorm.net") OR from IN ("support@pubstorm.com","support@pubstorm.net")

    Reference: 

    https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation 

    https://www.fortiguard.com/outbreak-alert/oracle-e-business-suite-rce


    Tags

    CL0PZero-dayExtortionThreat ActorVulnerabilityCVE-2025OracleExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.