Google Mandiant: Emails Sent To Corporate Execs Claiming Oracle Data Theft
Google, September 2,2025
Threat actors claiming to be part of the notorious Cl0p ransomware group are sending extortion emails to corporate executives at a range of organizations saying they have stolen sensitive data from the target's Oracle E-Business Suite accounts and demanding a ransom payment, according to Google threat researchers.
The threatening emails started appearing as recently as this week, having been sent from hundreds of compromised accounts, researchers from the Google Threat Intelligence Group (GTIG) and Google's Mandiant business wrote in an email sent to journalists.
That said, they noted that they are in the early stages of their investigation and that they can't yet attribute the emails to any particular group, Mandiant CTO Charles Carmakal wrote.
The malicious emails include contact information, and the researchers verified that two specific contact addresses are also publicly listed on Cl0p's data leak site.
'This move strongly suggests there's some association with Clop and they are leveraging the brand recognition for their current operation,' Carmakal wrote.