Security researchers at Google have uncovered a major hacking campaign targeting companies that use Oracle’s E-Business Suite, revealing that hackers have stolen data from dozens of organizations and are now attempting to extort corporate executives through email.

In a statement shared with TechCrunch on Thursday, Google confirmed that the Russia-linked Clop ransomware and extortion gang exploited multiple security vulnerabilities in Oracle’s enterprise software — a suite widely used by global corporations to manage customer databases, payroll systems, and HR files.

According to Google’s blog post, the campaign dates back to at least July 10, indicating that the breaches had been ongoing for months before being detected. Despite Oracle’s earlier claims that the issue had been patched, the company admitted over the weekend that hackers were still exploiting a zero-day vulnerability — a flaw that can be used without login credentials and before the vendor can release a fix.

This latest breach highlights a growing trend in mass data theft operations, in which groups like Clop exploit unknown (“zero-day”) bugs to compromise enterprise systems and steal sensitive data at scale. Clop has previously targeted file-transfer tools such as MOVEit, GoAnywhere, and Cleo, impacting hundreds of corporations worldwide.

Google said the attackers are now using extortion emails to threaten executives with data exposure unless ransom demands are met. The tech giant’s Threat Analysis Group has published email indicators and technical artifacts to help cybersecurity teams detect potential breaches in their Oracle environments.

Oracle’s ongoing struggle with the zero-day issue underscores the urgency for enterprises to update and monitor their systems — especially those handling large-scale operational and personal data. Meanwhile, the Clop gang’s latest campaign demonstrates how cybercriminals are increasingly exploiting enterprise-grade software to maximize leverage in extortion-based attacks.