Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems.

According to Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, the campaign began in late September.

"This activity began on or before September 29, 2025, but Mandiant's experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group," Stark said.

Charles Carmakal, CTO of Mandiant – Google Cloud, stated that the extortion emails are being sent from a large number of compromised email accounts.

"We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion," Carmakal explained.

In an example of the extortion email shared with BleepingComputer, Clop says they breached the company's Oracle E-Business Suite in a data theft attack.

"We are CL0P team. If you haven't heard about us, you can google about us on internet," reads the extortion email shared with BleepingComputer.

"We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems."

"But, don't worry. You can always save your data for payment. We do not seek political power or care about any business. So, your only option to protect your business reputation is to discuss conditions and pay claimed sum."

"In case you refuse, you will lose all abovementioned data: some of it will be sold to the black actors, the rest will be published on our blog and shared on torrent trackers."

Mandiant and GTIG report, and BleepingComputer has confirmed, that the email addresses listed in the extortion email are the same as those on the Clop ransomware gang's data leak site, indicating a possible link to the extortion group.

However, Carmakal says that while the tactics are similar to Clop's previous extortion campaigns and the email addresses indicate a potential link, there is not enough evidence to determine if data has actually been stolen.

Mandiant and GTIG recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms.

BleepingComputer contacted the Clop ransomware gang to confirm if they are behind the extortion emails, but has not received a response at this time.

We have also contacted Oracle to determine if they are aware of any recent zero-day exploitation that may have led to the theft of data.

If you have any information regarding this incident or any other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at tips@bleepingcomputer.com.

Who is the Clop extortion gang?

The Clop ransomware operation, also tracked as TA505, Cl0p, and FIN11, launched in March 2019 when it began targeting enterprise networks with a variant of the CryptoMix ransomware.

Like other ransomware gangs, Clop members breach corporate networks, steal data, and then deploy ransomware to encrypt systems.

The stolen data and encrypted files are then used as leverage to force companies to pay a ransom demand in exchange for a decryptor and to prevent the leaking of the stolen data.

While the group is still known to deploy ransomware, since 2020, they have shifted to exploiting zero-day vulnerabilities in secure file transfer platforms to steal data.

Some of their most notable attacks include:

• 2020: Exploiting a zero-day in the Accellion FTA platform, affecting nearly 100 organizations.
• 2021: Exploiting a zero-day in SolarWinds Serv-U FTP software.
• 2023: Exploiting a zero-day in the GoAnywhere MFT platform, breaching over 100 companies.
• 2023: Exploiting a zero-day in MOVEit Transfer was Clop's most extensive campaign to date, where a zero-day exploit allowed data theft from 2,773 organizations worldwide.

The most recent campaign associated with Clop was in October 2024, when the threat actors exploited two Cleo file transfer zero-days (CVE-2024-50623 and CVE-2024-55956) to steal data and extort companies.

The U.S. State Department currently offers a $10 million reward through its Rewards for Justice program for information linking Clop's ransomware activities to a foreign government.

Update 10/2/25: Added sample of Clop extortion email being sent to companies.