SAGE

Sage is a malware family name used in the provided reporting in two distinct but related contexts. Historically, Microsoft reported that the financially motivated initial-access broker Storm-0324 distributed Sage ransomware among a broader set of payloads since at least 2016, alongside malware such as Nymaim, Gozi, Trickbot, Gootkit, Dridex, GandCrab, and IcedID. More recent reporting uses “Sage” to describe a set of Java payloads deployed in Oracle E-Business Suite (EBS) intrusions associated with exploitation of CVE-2025-61882. In that EBS activity, attackers deployed multi-stage web shells related to the SAGE infection chain and used Java components including Sagegift, Sageleaf, and Sagewave. Sagegift is described as a payload that loads an in-memory dropper called Sageleaf, which installs a malicious Java servlet filter called Sagewave. Sagewave enabled attackers to deploy an AES-encrypted ZIP archive containing Java classes and to execute various commands in compromised EBS environments, supporting persistence and post-exploitation command execution. This Oracle EBS campaign began as early as July 2025, affected dozens of organizations, involved significant data exfiltration and extortion, and has been widely suspected to be linked to the Clop ransomware group, although formal attribution was not stated as confirmed. Talos also reported that after exploitation of CVE-2025-61882, threat actors deployed multi-stage web shells related to the SAGE infection chain. High-confidence associations in the content therefore include Storm-0324 as a historical distributor of Sage ransomware, and Oracle EBS exploitation activity in 2025 involving Sagegift/Sageleaf/Sagewave payloads, with command execution capability in compromised EBS environments.