A cybercriminal group may be hiding another one—one that could beat them to the punch.
The situation seems to have recently unfolded between Cl0p and SLSH (Scattered LAPSUS$ ShinyHunters). The former targeted Oracle E-Business Suite instances by exploiting… an exploit that the latter accuses it of stealing.
In the wake of this campaign, users of the suite faced extortion attempts. The demanded sums reached up to $50 million.
Oracle n’avait pas tout de suite évoqué une 0-day
Oracle had initially linked Cl0p’s claims to vulnerabilities that had been fixed in July as part of the quarterly on‑premises patch cycle for its products.
It ultimately updated its post, removing all references to those vulnerabilities in favor of a single, new (CVE-2025-61882) one, which it does not label a 0-day. It concerns the integration with Analytics Publisher (formerly BI Publisher; a reporting solution that is part of Fusion Middleware). A score of 9.8 was assigned, reflecting both the potential consequences (remote code execution, with potentially high impact on confidentiality, integrity, and availability) and the ease of exploitation (no authentication required).
In this instance, the flaw allowed, on Internet-facing E-Business Suite instances, access to local accounts that facilitate bypassing the SSO.
Some IOCs shared by Oracle line up with elements that SLSH had previously circulated on Telegram. Specifically, the files that comprise the exploit (two Python scripts inside a ZIP archive). In their filenames, the string “scattered_lapsus” appears, giving a probable clue to provenance.
A YAML template for the Nuclei vulnerability scanner has been released. It detects vulnerable instances by checking whether a page contains the text “E-Business Suite Home Page” and, if so, whether the Last-Modified header’s date is earlier than October 4, 2025.
For complementary reading, consider a note on a prior campaign involving Cl0p. That campaign targeted the MOVEit Transfer file-transfer software. Two SQLi vulnerabilities at the front-end were used to inject ransomware. Majorel, a GRC services provider, was among the victims. The information came to light via Pôle emploi, for which it acted as a contractor.
