GTIG’s analysis found the actor(s) successfully chained together multiple distinct vulnerabilities (including a zero-day likely identified as CVE-2025-61882) to gain unauthenticated Remote Code Execution (RCE) and steal mass amounts of customer data. The initial exploitation activity may have begun as early as July 10, 2025, nearly 3 months prior to any public detections.
The campaign involves chaining together multiple distinct vulnerabilities (as many as five, according to external analysis), including a zero-day vulnerability (likely CVE-2025-61882) to steal mass amounts of customer data via unauthenticated Remote Code Execution (RCE). Furthermore, the campaign utilizes sophisticated, multi-stage, fileless malware (GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE) to evade file-based detection—a crucial new detail.
According to GTIG’s experts, this level of investment suggests the threat actor(s) responsible for the initial intrusion likely dedicated significant resources to pre-attack research.
John Hultquist, Chief Analyst, Google Threat Intelligence Group – Google Cloud, elaborates on the potential scope of this operation “We’re still assessing the scope of this incident, but we believe it affected dozens of organizations. Some historic CL0P data extortion campaigns have had hundreds of victims. Unfortunately large scale zero-day campaigns like this are becoming a regular feature of cybercrime.”
Full research with recommendations can be read here: https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation
