Oracle EBS didn’t get “ransomwared.” It got quietly siphoned—then your execs got extortion emails from “support@pubstorm[.]com.” 🧵
CL0P-branded tradecraft (FIN11-style) pushed in-memory Java loaders via BI Publisher/TemplatePreview, left minimal disk, and came back through selective servlet filters. Oracle rushed CVE-2025-61882 (12.2.3–12.2.14).
Google/Mandiant say the campaign likely hit 100+ orgs. Detection lives in app/DB signals, not static IOCs.
Quick wins: patch 61882, lock EBS egress, and hunt XDO templates (TemplateCode TMP|DEF, TemplateType XSL-TEXT|XML). 🚨
What’s your fastest “by Friday” win: egress allowlist or TemplatePreview hunt—and why?
Read the full breakdown → https://blog.alphahunt.io/cl0p-fin11-go-in-memory-on-oracle-ebs-the-extortion-comes-later
#AlphaHunt #OracleEBS #CL0P #Ransomware #ThreatIntel