Attackers deployed fileless malware through malicious database templates.

Researchers analyzing the Oracle E-Business Suite extortion campaign identified sophisticated multi-stage malware, including downloaders and servlet filters designed to evade detection. The attacks exploited known vulnerabilities patched in July alongside a zero-day flaw tracked as CVE-2025-61882, with suspicious activity detected as early as July 10. Hackers created malicious templates in vulnerable databases to deliver payloads like GoldVein downloader and a nested chain of Java components named SageGift, SageLeaf, and SageWave. Google linked the campaign to cybercrime group FIN11 based on compromised email accounts and malware similarities, estimating that dozens of organizations were compromised, with significant data stolen from some victims.

Read more:

https://www.securityweek.com/sophisticated-malware-deployed-in-oracle-ebs-zero-day-attacks/