The Cl0p ransomware group has published over 26 GB of archive files, claiming the data was stolen from American Airlines and listing the major carrier on its Tor-based leak website. However, the organization actually targeted appears to be American Airlines’ regional subsidiary, Envoy Air, which describes itself as the largest regional carrier for American Airlines, operating over 800 daily flights under the American Eagle brand. The attack is part of a larger cybercrime campaign focused on organizations that utilize Oracle’s E-Business Suite (EBS) enterprise management solution, a campaign that has been publicly claimed by Cl0p and linked to the cybercrime group FIN11.
Envoy Air has confirmed its systems were impacted by this specific Oracle EBS campaign. In a statement to the media, the Texas-based carrier acknowledged the breach but maintained that a thorough investigation showed no customer or other sensitive data was compromised. They admitted, however, that the hackers did manage to compromise “a limited amount of business information and commercial contact details.” The listing on the Cl0p site is typically reserved for organizations that have received extortion emails from the attackers but have subsequently refused to pay a ransom.
The Oracle EBS campaign has impacted multiple organizations, with Harvard University being the first confirmed victim. Since then, additional organizations have been named on the Cl0p leak website, including South Africa’s University of the Witwatersrand, Johannesburg, which has also publicly confirmed it was targeted and is working to determine the extent of the compromised data. In addition to these, the leak site also lists the industrial giant Emerson, though no data allegedly stolen from that company has been made public at the time of this report.
While the campaign is attributed to the Cl0p-FIN11 nexus, the exact technical details remain somewhat unclear. It is not publicly known which specific Oracle EBS vulnerabilities were exploited in the attack, though Oracle initially indicated that known flaws patched in July were involved. The company later released patches for two additional EBS vulnerabilities: a zero-day (CVE-2025-61882) that was apparently exploited in the campaign, and another flaw (CVE-2025-61884) that exposes sensitive data, although the company has not confirmed if the latter was also leveraged by the attackers.
Furthermore, attributing the attack with precision is complicated by the nature of the threat groups involved. Google’s Mandiant security team tracks several distinct clusters of malicious activity under the broad umbrella of FIN11, making it difficult to pinpoint exactly which specific subgroup is responsible for executing this particular campaign. Nonetheless, the continued publication of stolen files and the listing of new victims on the Cl0p leak site signals that the campaign remains active and the number of impacted organizations is likely to grow.
Reference:
