On or around November 7, 2025, The Washington Post confirmed it was a victim of a “sweeping cyber breach” linked to vulnerabilities in Oracle software. This incident is not an isolated attack but a high-profile component of a massive, global data extortion campaign.
The campaign is attributed with high confidence to the financially motivated, Russian-speaking threat actor group CL0P, which is also tracked as TA505 or GRACEFUL SPIDER. In line with its established tactics, CL0P has been publicizing victims on its dark web data leak site (DLS) in an attempt to extort payments.
The primary attack vector is the exploitation of a critical, unauthenticated remote code execution (RCE) zero-day vulnerability in Oracle E-Business Suite (EBS). This vulnerability is now tracked as CVE-2025-61882.
While the breach of The Washington Post was publicized in November 2025, threat intelligence from Google/Mandiant and CrowdStrike indicates that exploitation in the wild (ITW) began as early as August 9, 2025. This extensive “detection deficit,” spanning nearly three months, allowed the threat actor to conduct patient, large-scale data exfiltration long before sending the first extortion emails to victims in late September and early October 2025. Google has assessed that over 100 companies were likely affected by this campaign.
This operation reinforces CL0P’s strategic pivot to “encryption-less extortion”. The group has increasingly abandoned traditional ransomware deployment in favor of exploiting zero-day vulnerabilities in high-value, internet-facing platforms—such as Managed File Transfer (MFT) and Enterprise Resource Planning (ERP) systems—for pure data theft and public shaming.
Due to the long period of undetected exploitation, immediate patching is insufficient. All organizations using Oracle EBS versions 12.2.3 through 12.2.14 must assume compromise. This report provides a detailed breakdown of the exploit chain, post-exploitation payloads, and persistence mechanisms. Defenders must apply the emergency patch and its prerequisites immediately and conduct an in-depth threat hunt using the Indicators of Compromise (IOCs) and detection guidance provided herein.
Victim Profile: The Washington Post
The most prominent victim publicly named in this campaign is The Washington Post (washingtonpost.com). The newspaper released a statement on Thursday, November 6, 2025, confirming it was “one of those impacted ‘by the breach of the Oracle E-Business Suite platform'”.
An analysis of the victim’s profile provides context for its selection as a target:
- Ownership: The Washington Post is a private company, WP Company LLC, operating as a subsidiary of Nash Holdings LLC. Nash Holdings is the private investment firm of Amazon founder Jeff Bezos.
- Operational Scale: The company maintains a large workforce, with estimates ranging from approximately 2,500 to over 4,100 employees, including around 1,050 journalists. This significant employee base represents a massive potential dataset (e.g., HR, payroll, financial data) managed by an ERP system like Oracle EBS.
- Financials: The organization has an estimated annual revenue of $812.2 million.
- Market Position: The Washington Post is one of the most recognized news organizations in the world, with a global audience and 2.5 million digital subscribers.
CL0P’s core tactic is to “publicize and shame” victims into paying extortion demands. The Washington Post is not a random target; it is an ideal one for this strategy. Its entire business is built on public trust and reputation. The added “celebrity” factor of its ownership by Jeff Bezos guarantees that a breach will attract widespread, international media attention.
The threat actors were clearly aware of this, placing the newspaper “at the top of the Cl0p ransomware gang’s dark leak site” and highlighting the name in a “bright yellow font” to capitalize on this “name recognition”. The breach of The Washington Post serves as a psychological sledgehammer to all other victims in the campaign, sending an implicit message: “If we can breach them and are willing to shame them, you have no chance. Pay us.”
Table 1: Victim Profile: The Washington Post (WP Company LLC)
| Legal Name | Parent Company | Industry | Est. Annual Revenue | Est. Employee Size | Key Assets |
| WP Company LLC | Nash Holdings LLC (Jeff Bezos) | Media & Publishing | $812.2M | ~3,800 – 4,100 | Global brand, 2.5M+ digital subscribers, sensitive journalistic/source data. |
Threat Actor: CL0P (TA505)
The threat actor behind this campaign is CL0P, a highly sophisticated and prolific group also tracked as TA505 and GRACEFUL SPIDER. Believed to be a Russian-speaking cybercrime collective, TA505 is financially motivated and has been active since at least 2014. Its operations are multifaceted and mature, functioning as a Ransomware-as-a-Service (RaaS) provider, an Initial Access Broker (IAB), and the operator of the Dridex banking trojan botnet.
Historically, CL0P was known for a “double extortion” model: exfiltrating sensitive data and then encrypting victim files to demand a ransom. However, this campaign confirms a significant strategic evolution. Analysis of the group’s 2024 Cleo MFT campaign noted that operators “did not always encrypt data, rather opting for exfiltration only”. This has now become a core TTP. Research from Q1 2025 confirms CL0P has “continued its strategic reliance on encryption-less attacks” and “largely shifted from ‘exfiltrating and encrypting data…'” to just “‘exfiltrating data and extorting money'”.
This shift represents a logical optimization of the group’s business model. Deploying ransomware is a noisy activity, creating millions of file-write events that are highly likely to trigger Endpoint Detection and Response (EDR) and behavioral analytics. By skipping the encryption phase entirely, CL0P’s intrusion becomes far stealthier. The initial RCE and subsequent data exfiltration can be disguised as legitimate application-level traffic, evading many traditional anti-ransomware defenses. This TTP lowers the risk of detection, reduces development overhead, and accelerates the “time-to-extortion.”
This attack on Oracle EBS is not an anomaly; it is the capstone of a multi-year “platform-hunter” campaign. The data reveals a clear, repeating pattern of CL0P/TA505 investing heavily in the discovery and exploitation of zero-day vulnerabilities in widely-used, internet-facing MFT and ERP software.
This TTP is orders of magnitude more sophisticated than typical eCrime. It implies that TA505 either operates a dedicated, in-house vulnerability research (VR) team or has an exclusive, high-cost partnership with a VR provider. They are not simply buying access; they are creating mass access on a scale that rivals nation-state actors. By targeting the platform—a core system used for finance, HR, and supply chain management—they compromise all of its users in a single stroke.
Table 2: CL0P (TA505) Major Campaign Evolution (2020-2025)
| Date | Target Platform | Vulnerability(s) | Primary TTP |
| 2020-2021 | Accellion FTA | Zero-Day | Double Extortion (Data Theft + Encryption) |
| Early 2023 | Fortra GoAnywhere MFT | CVE-2023-0669 (Zero-Day) | Encryption-less Extortion (Data Theft) |
| Mid-2023 | Progress MOVEit Transfer | CVE-2023-34362 (Zero-Day) | Encryption-less Extortion (Data Theft via LEMURLOOT web shell) |
| Q4 2024-Q1 2025 | Cleo MFT (LexiCom, VLTrader) | CVE-2024-50623, CVE-2024-55956 (Zero-Days) | Encryption-less Extortion (Data Theft) |
| Q3-Q4 2025 | Oracle E-Business Suite | CVE-2025-61882 (Zero-Day) | Encryption-less Extortion (Data Theft via RCE) |
The Attack: CVE-2025-61882 Exploit
The Vulnerability
The root cause of this campaign is a critical, unauthenticated RCE vulnerability in Oracle E-Business Suite. The flaw resides within the BI Publisher Integration component, which is part of the Oracle Concurrent Processing product. This vulnerability, which affects Oracle EBS versions 12.2.3 through 12.2.14, is of the highest possible severity, allowing for a complete and unauthenticated takeover of the affected system.
Table 3: Vulnerability Details (CVE-2025-61882)
| Attribute | Details |
| CVE ID | CVE-2025-61882 |
| CVSS 3.1 Base Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Description | “Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks… can result in takeover…” |
| Attack Type | Unauthenticated Remote Code Execution (RCE) |
| Affected Component | Oracle E-Business Suite (Component: BI Publisher Integration) |
| Affected Versions | 12.2.3 through 12.2.14 |
The Exploit Chain
This vulnerability is not a single, simple flaw. Deep-dive analysis from security researchers at WatchTowr reveals that the exploit “demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve pre-authenticated Remote Code Execution”. This complexity explains why it remained an effective zero-day for nearly three months (August to October). It also accounts for reports from Google/Mandiant, which “observed multiple different exploit chains”, suggesting the attackers developed multiple paths to achieve their objective.
Based on public analysis, the exploit chain proceeds as follows:
- Step 1: Initial SSRF: The attacker sends a crafted HTTP POST request to an unauthenticated public-facing endpoint, such as
/OA_HTML/SyncServletor/OA_HTML/configurator/UiServlet. This request contains