Cybersecurity professionals should be alarmed! The Cl0p hacking group—also referred to as Graceful Spider—has allegedly utilized a major vulnerability in Oracle’s E-Business Suite (EBS) software. Unlike Clop’s recent activity, the group has been operating since at least 2020. It is most infamous for abusing zero-day vulnerabilities and explicitly targeting managed file transfer appliances. These are the Accellion legacy file transfer appliance, GoAnywhere MFT, Progress MOVEit MFT, and Cleo LexiCom.
Then the breach period began on August 9, 2025. This incident further raises alarms that many other organizations have been affected. The hackers exploited an undisclosed vulnerability in the “/OA_HTML/SyncServlet” component of Oracle’s software to gain remote code execution. This exploitation was able to trigger an XSL payload through the Template Preview feature, allowing Cl0p to run several reconnaissance commands.
Breach Summary Hackers took advantage of hundreds of compromised third-party accounts across a wide range of unrelated organizations. This attack is notable for its scale and sophistication.
Technical Details of the Breach
The first and most advanced of Cl0p’s new tactics is chaining together two different chains of Java payloads embedded inside XSL payloads. One particularly interesting variant is GOLDVEIN.JAVA, which functions as a downloader for later payloads from a command-and-control (C2) server. This approach gives attackers a way to stay on top of developments and retain control and flexibility over their attack vectors.
The exploitation process starts by triggering GOLDVEIN.JAVA by forking a Java process. Hackers subsequently execute commands via a bash shell spawned from the EBS account “applmgr”. The credentials leveraged in this attack were allegedly bought from underground forums, probably purchased through infostealer malware log sets.
The attack’s timeline makes it apparent that Cl0p took a very calculated approach. In July 2025, researchers identifying miscellaneous artifacts observed a quite peculiar—yet fascinating—artifact. These artifacts appear to match an exploit that was leaked on 3 October 2025 to a Telegram group called Scattered LAPSUS$ Hunters.
Impacts and Responses
The repercussions from this breach have sent deep tremors of fear and anger into the hearts of cybersecurity professionals and organizations everywhere. John Hultquist, chief analyst of GTIG at Google Cloud, said in a recent GTIG announcement,
“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations.”
This operational pattern of Cl0p’s attack strategy is consistent with previous victim targeting trends associated with the FIN11 adversary group. Analysts have identified a striking pattern in their activities. They usually do this by first exploiting a zero-day vulnerability in some widely deployed enterprise app and only then launching a massive extortion campaign weeks or months later.
It’s just smart business Experts agree that attacking public-facing applications and appliances that contain sensitive data makes them the choice for efficient data theft operations. Threat actors do this in order to cut down on the lateral movement needed within networks, speeding up their attacks.
Future Implications
Ongoing investigations are still revealing the magnitude of Cl0p’s campaigns. These attacks have underscored the need for organizations to immediately improve their cyber defenses and patient engagement. The use of such vulnerabilities to carry out attacks highlights the need for ensuring software is up to date and employing strong security measures at all levels.
Cybersecurity experts recommend that affected organizations conduct thorough assessments and audits of their systems while ensuring that all employees are aware of potential phishing attempts associated with this campaign.