Lawrence Abrams reports:
Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems.
According to Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, the campaign began in late September.
“This activity began on or before September 29, 2025, but Mandiant’s experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group,” Stark said.
Charles Carmakal, CTO of Mandiant – Google Cloud, stated that the extortion emails are being sent from a large number of compromised email accounts.
Read more at Bleeping Computer.
In related news, CyberScoop has reported the contents of one of the extortion emails.
In a post on LinkedIn, Austin Larsen, principal threat analyst with the Google Threat Intelligence Group, wrote:
⚠️ Google Threat Intelligence Group (GTIG) is tracking a new, high-volume extortion campaign from an actor claiming affiliation with the notorious CLOP group.
Starting on or around September 29, 2025, this actor began sending extortion emails to executives at numerous organizations. The emails claim the actor has breached their Oracle E-Business Suite applications and stolen sensitive data.
While the claims of a successful data breach are currently unverified, we’ve identified strong links to the financially motivated group FIN11 (often associated with CLOP):
➡️ The campaign uses hundreds of compromised email accounts to send the messages, a tactic previously used by FIN11. At least one of these accounts has been directly tied to past FIN11 activity.
➡️ The contact addresses provided in the extortion notes ([email protected] and [email protected]) are the same ones publicly listed on the official CLOP data leak site.At this time, GTIG does not have sufficient evidence to substantiate the actor’s claims. Attribution in this space is often complex, and we frequently see actors mimic established groups to leverage their brand recognition, increasing pressure on victims to pay.
Given the connections to a well-established extortion operation, we strongly recommend organizations treat these emails seriously and investigate their environments for any evidence of threat actor activity.