GOLDVEIN.JAVA
GOLDVEIN.JAVA is a Java-based downloader malware family observed in 2025 Oracle E-Business Suite (EBS) exploitation chains associated with CVE-2025-61882 and related EBS attack activity. Google Threat Intelligence Group (GTIG) described it as a downloader embedded in malicious XSL payloads/templates installed in vulnerable EBS databases. It attempts to fetch a second-stage payload from a command-and-control server, beacons to C2 using traffic disguised as a "TLSv3.1" handshake, and returns execution logs inside an HTML comment. Mandiant reported GOLDVEIN.JAVA was the most frequently observed malware family across its 2025 investigations. The malware was deployed alongside other Java payload families including SAGEGIFT, SAGELEAF, and SAGEWAVE in multi-stage, fileless Oracle EBS attack chains designed to evade file-based detection. Successful exploitation activity was observed as early as August 2025, with suspicious precursor activity noted in July 2025. Mandiant attributed related Oracle EBS activity to a suspected FIN11 cluster based on use of the CL0P data leak site and the Java-based GOLDVEIN.JAVA downloader, while GTIG noted overlaps with FIN11 but did not make definitive attribution. The malware was also reported as having an earlier PowerShell version first seen in Cleo attacks in December 2024. High-confidence targeting in the provided content is Oracle E-Business Suite environments, with dozens of organizations reportedly affected and significant data theft reported in some cases.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
It has since been determined that hackers likely exploited known EBS vulnerabilities patched in July, likely along with a zero-day flaw tracked as CVE-2025-61882. The hacker groups ShinyHunters and Scattered Spider ... have published a proof-of-concept (PoC) exploit that appears to target CVE-2025-61882 ... according to Oracle, CVE-2025-61882 allows unauthenticated remote code execution. CrowdStrike has found evidence that exploitation of CVE-2025-61882 started on August 9. | One of them is a downloader tracked by Google as GoldVein.Java, which attempts to fetch a second-stage payload from a C&C server.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
One of them is a downloader tracked by Google as GoldVein.Java, which attempts to fetch a second-stage payload from a C&C server.
GTIG found two Java payload chains embedded in XSL payloads used in the Oracle EBS campaign: GOLDVEIN.JAVA (downloader) — a Java downloader that beacons to a C2 (disguised as a “TLSv3.1” handshake) and returns execution logs inside an HTML comment.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueIt has since been determined that hackers likely exploited known EBS vulnerabilities patched in July, likely along with a zero-day flaw tracked as CVE-2025-61882.
Execution
2 techniquesMandiant... attributes the activity to a suspected FIN11 cluster, based on use of the CL0P data leak site and the Java-based GOLDVEIN.JAVA downloader.
The attackers created a malicious template in vulnerable Oracle EBS databases, which stored a payload triggered in the final stage of the exploit chain.
Stealth
1 techniqueGoldVein, SageGift, SageLeaf, and SageWave have been described as sophisticated, multi-stage, fileless malware that can evade file-based detection.
Command and Control
2 techniquesOne of them is a downloader tracked by Google as GoldVein.Java, which attempts to fetch a second-stage payload from a C&C server.
One of them is a downloader tracked by Google as GoldVein.Java, which attempts to fetch a second-stage payload from a C&C server.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Java-based downloader heavily observed in 2025 investigations and linked in the report to suspected FIN11 activity and CL0P-associated extortion operations.
Malware family dropped as a payload in Oracle EBS exploitation campaigns, likely involved in data exfiltration or further compromise.
Java-based downloader embedded in malicious XSLT templates used against Oracle E-Business Suite; beacons to C2 using traffic disguised as a “TLSv3.1” handshake and returns execution logs embedded in HTML comments. Reported to trace to a PowerShell family seen in prior Cleo campaigns; no follow-on payloads recovered in this reporting.
Goldvein.java is a downloader payload used in exploit chains targeting Oracle E-Business Suite, facilitating the installation of additional malicious components. It has been observed in both Java and PowerShell variants.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.