"⚠️ Google Threat Intelligence Group (GTIG) is tracking a new, high-volume extortion campaign from an actor claiming affiliation with the notorious CLOP group. Starting on or around September 29, 2025, this actor began sending extortion emails to executives at numerous organizations. The emails claim the actor has breached their Oracle E-Business Suite applications and stolen sensitive data. While the claims of a successful data breach are currently unverified, we've identified strong links to the financially motivated group FIN11 (often associated with CLOP):"
"According to Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, the campaign began in late September. "This activity began on or before September 29, 2025, but Mandiant's experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group," Stark said. Charles Carmakal, CTO of Mandiant - Google Cloud, stated that the extortion emails are being sent from a large number of compromised email accounts."
Mandiant and Google are tracking a high-volume extortion campaign targeting executives with emails claiming sensitive data was stolen from Oracle E-Business Suite systems. GTIG reports the campaign began on or before September 29, 2025, and Mandiant says investigations are in early stages with claims unsubstantiated. The extortion messages are being sent from hundreds of compromised email accounts, a tactic linked to FIN11. At least one compromised account ties directly to past FIN11 activity, and the contact addresses mirror those on the CLOP leak site. GTIG states insufficient evidence exists to validate the breach claims.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]