TL;DR

Key Points

• Shift to in-memory Java persistence via BI Publisher/XDO templates (minimal disk artifacts)

• Low-noise C2: sparse 443 VPS endpoints; beacons that include the literal string "TLSv3.1"

• Reentry via selective servlet filters (path/header-gated) and DB-resident templates

• Compromised-identity extortion at scale; static negotiation anchors (support(at)pubstorm[.]com/.net)

• Action: Patch CVE-2025-61882 on EBS 12.2.3-12.2.14; enforce strict EBS egress allowlists

• Action: Hunt XDO template abuse and servlet filters; auto-route pubstorm-anchored emails to SOC

The story in 60 seconds

Who/what/why: From July-October 2025, CL0P-branded activity with FIN11-overlapping tradecraft exploited UiServlet/SyncServlet into BI Publisher TemplatePreview, exfiltrated data, and, 2-4 weeks later, launched brand-anchored, compromised-identity extortion to maximize deliverability and leverage.

TTPs: Java loader lineage (GOLDVEIN.JAVA; SAGEGIFT, SAGELEAF, SAGEWAVE) resides in memory and/or DB templates and triggers via precise paths/headers. Post-ex runs as applmgr; look for java spawning bash -i and light recon from the Java context.

Sector impact: ERP owners face theft-first impacts, hard-to-see persistence, and authenticated extortion that bypasses sender-reputation controls. Durable detection lives in app/DB signals, not static IPs.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

High Impact, Quick Wins

• Lock down EBS egress (Owner: Net/SOC): L7 allowlist for EBS hosts; deny unknown 443. Measure: >=95% reduction in unique outbound destinations from EBS hosts over 24h baseline; NetFlow/Zeek confirms only approved endpoints.
• Detect TemplatePreview abuse (Owner: SOC/WAF): Alert on TemplatePreviewPG with TemplateCode and TemplateType conditions. Measure: < 0.1% of OA_HTML traffic matches after tuning or < 1 benign hit/day/environment in SIEM.
• Quarantine pubstorm-anchored extortion (Owner: Email Sec/SOC): Route messages referencing support(at)pubstorm[.]com/.net even if SPF/DKIM/DMARC pass. Measure: >=90% auto-routing within 5 minutes measured by MTA timestamp to SOC queue ingest.

Why it matters

SOC

• Alert on TemplatePreviewPG calls where TemplateCode starts TMP/DEF and TemplateType is XSL-TEXT or XML.
• Monitor anomalies to /OA_HTML/configurator/UiServlet and /OA_HTML/SyncServlet (off-hours spikes, new sources).
• Watch rare, short 443 sessions to VPS IPs; prioritize flows showing early "TLSv3.1" strings.

IR

• Preserve OA_HTML HTTP logs with headers; capture DB diffs for XDO_TEMPLATES_B and XDO_LOBS.
• Snapshot JVM state via heap dumps and JMX filter inventories; retain lineage of java spawning bash -i (user applmgr).
• Save full headers/bodies of extortion emails; do not reply from corporate mail.

SecOps

• Patch CVE-2025-61882 (ensure Oct 2023 CPU prerequisite); restart WebLogic to evict memory implants.
• Enforce EBS egress allowlist and segmentation.
• Add detections for path/header-gated filters (help/state substrings; X-ORACLE-DMS-ECID matches).

Strategic

• Establish legal/comms playbook for compromised-identity extortion with off-corp negotiation channels.
• Prioritize app/DB detections over IOC blocking; track infra churn but pivot on TTPs.
• Fund Java memory forensics capability for middleware.

See it in your telemetry

Network

• 443 flows containing the literal string "TLSv3.1" in early application-layer bytes; short sessions (< 3 minutes), low egress volumes (NetFlow/Zeek/PCAP).
• TemplatePreviewPG path and fields:
  • Path: /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG
  • TemplateCode field regex: ^(?:TMP|DEF)[A-F0-9]{16}$
  • TemplateType field: ^(?:XSL-TEXT|XML)$
• SAGEWAVE gates: substrings like /help/state/content/destination./navId.1/navvSetId.iHelp/; optional header X-ORACLE-DMS-ECID with specific value (WAF/SIEM).

Endpoint

• java (user applmgr) spawning bash -i; recon commands (ip addr, netstat -an, df -h, ping 8.8[.]8[.]8) (EDR/auditd).
• JVM indicators in memory/classpath: Base64/AES, reflection/defineClass patterns (JMX/heap dump review).
• DB artifacts: recent inserts/updates in XDO_TEMPLATES_B and XDO_LOBS; unexpected creators; TemplateCode starting TMP/DEF; payloads referencing javax.script or BASE64Decoder (DBA queries).

AlphaHunt Intelligence Platform

Ready to level up your intelligence game?

Sign Up!

Research

Assessment scope

• Focus: Higher-level OSINT synthesis on how CL0P/FIN11-linked infrastructure and email tradecraft are evolving across Oracle E‑Business Suite (EBS) victims.
• Timeframe: July–October 2025 campaign window associated with pre-auth EBS exploitation and subsequent extortion wave.
• Baseline sources: First-party technical analysis, vendor advisory, and exploit-chain reverse engineering.

Key takeaways

• Split-tempo operations matured: quiet, mass exploitation/exfiltration first; weeks later, broad, brand-anchored extortion delivered from large pools of compromised sender accounts. This sequencing maximizes stealth and deliverability, reduces reliance on persistent attacker-owned infrastructure, and complicates early containment.
• Infra pivots from web-app RCE to in-memory Java chains: After pre-auth exploitation of UiServlet/SyncServlet, actors staged Java-only loaders (GOLDVEIN.JAVA; SAGEGIFT→SAGELEAF→SAGEWAVE) that persist in application memory and/or DB-resident templates, minimizing disk artifacts. C2 use is sparse and purpose-built (443 endpoints) with beacons disguised as TLS handshakes (“TLSv3.1”), anticipating rapid rotation after exposure.
• Email delivery scales via real-account compromise: Extortion outreach leveraged “hundreds, if not thousands” of unrelated, compromised third-party accounts, preserving SPF/DKIM alignment and sender reputation; static CL0P-branded contact addresses (support(at)pubstorm[.]com/.net) provide continuity while the sending infrastructure remains fluid.

How infrastructure has evolved

Initial access and exploit chains