MalwareRansomwareUsed by 2 actorsExploits 1 CVE

SAGEGIFT

SageGift is a multi-stage, fileless Java malware component observed in Oracle E-Business Suite (EBS) intrusion chains tied to exploitation of Oracle EBS vulnerabilities, including activity associated with CVE-2025-61882. It is described as a Base64-encoded reflective loader, custom designed for Oracle WebLogic servers, and forms part of the nested SAGE infection chain: SageGift loads SageLeaf, an in-memory dropper with logging, which then installs SageWave, a malicious Java servlet filter used to establish persistent access to compromised networks and systems and enable deployment of a final payload. Reporting states the implants can live entirely in memory, evade file-based detection, and communicate with command-and-control infrastructure using traffic disguised as TLS handshakes. SageGift was identified by Google Threat Intelligence Group (GTIG) and Mandiant in attacks against public-facing Oracle EBS environments during a broader data-theft and extortion campaign affecting dozens of organizations. The campaign has been linked with varying confidence to Cl0p/FIN11-related activity, though GTIG stated it had not definitively attributed the attack to a specific threat group. No standalone indicators of compromise specific to SageGift were provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2025-61882Unauthenticated RCE in Oracle E-Business Suite Concurrent Processing BI Publisher IntegrationExploited in the wild

As with the zero-day vulnerability announced by Oracle last week – tracked as CVE-2025-61882... Mandiant initially noted that Cl0p abused known and patched vulnerabilities, but added last week that the group also exploited the CVE-2025-61882 zero-day. SOCRadar also wrote that the flaw had been exploited in the wild – Oracle issued a patch for it October 4 – and that a public proof-of-concept exploit had been released.

via security boulevardsecurityboulevard.com

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

FIN11

A loader named SageGift loads a dropper named SageLeaf, which in turn installs a Java servlet filter named SageWave that enables the threat actor to deploy the final payload.

via security weeksecurityweek.com

TA505

They're using multi-stage Java implants with names like GOLDVEIN, SAGEGIFT, and SAGEWAVE that live entirely in memory and communicate back to C2 servers disguised as TLS handshakes.

via vulnuvulnu.com

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence2

Oracle noted that the vulnerability can be exploited remotely and without authentication, so bad actors could access a network without having to use a username and password.

Execution

1 technique

T1203Exploitation for Client ExecutionEvidence1

The attackers created a malicious template in vulnerable Oracle EBS databases, which stored a payload triggered in the final stage of the exploit chain.

Stealth

1 technique

T1027.011Fileless StorageEvidence1

GoldVein, SageGift, SageLeaf, and SageWave have been described as sophisticated, multi-stage, fileless malware that can evade file-based detection.

Command and Control

1 technique

T1104Multi-Stage ChannelsEvidence1

The second payload delivered through malicious templates is actually a “nested chain of multiple Java payloads”. A loader named SageGift loads a dropper named SageLeaf, which in turn installs a Java servlet filter named SageWave that enables the threat actor to deploy the final payload.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

the hacker newsNews

Oct 13, 2025

⚡ Weekly Recap: WhatsApp Worm, Critical CVEs, Oracle 0-Day, Ransomware Cartel & More

Malware family dropped as a payload in Oracle EBS exploitation campaigns, likely involved in data exfiltration or further compromise.

security boulevardNews

Oct 13, 2025

Oracle Warns of New EBS Vulnerability That Allows Remote Access

A dropper malware family delivered in the Oracle E-Business Suite intrusion chains.

securityaffairsNews

Oct 13, 2025

Google, Mandiant expose malware and zero-day behind Oracle EBS extortion

Base64-encoded reflective loader component in the SAGE infection chain delivered via XSL payloads in Oracle EBS exploitation.

the hacker newsNews

Oct 10, 2025

CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw

SAGEGIFT is a custom loader for Oracle WebLogic servers, used to launch further in-memory malware such as SAGELEAF and SAGEWAVE.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.