Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 2 actorsExploits 1 CVE

SAGEWAVE

SageWave is a malicious Java servlet filter observed in Oracle E-Business Suite intrusion chains analyzed by Google Threat Intelligence Group (GTIG) and Mandiant in 2025. It appeared in at least two distinct Java payload chains associated with exploitation of Oracle EBS, including activity linked by multiple reports to Cl0p-branded extortion operations and overlaps with FIN11 tradecraft, although definitive attribution was not established in all reporting. SageWave is installed by the in-memory dropper SageLeaf after being loaded through the SageGift loader, forming the nested SAGE chain: SageGift -> SageLeaf -> SageWave. The malware is described as fileless or memory-resident and capable of evading file-based detection. Its role is to establish persistent access on compromised networks and systems and to enable deployment of a further payload. Specifically, SageWave installs or allows installation of an AES-encrypted ZIP archive containing Java classes or an unknown next-stage malware payload, which researchers did not recover. The broader attack chain involved malicious XSL/XSLT template-based exploitation of Oracle EBS, and reporting also notes that the Java implants in this campaign communicated with command-and-control infrastructure using traffic disguised as TLS handshakes. High-confidence associated malware families in the same campaign include GoldVein/GoldVein.Java, SageGift, and SageLeaf. The observed targeting context was Oracle E-Business Suite environments at dozens of organizations affected by exploitation of CVE-2025-61882 and related Oracle EBS vulnerabilities.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-61882Unauthenticated RCE in Oracle E-Business Suite Concurrent Processing BI Publisher IntegrationExploited in the wild

As with the zero-day vulnerability announced by Oracle last week – tracked as CVE-2025-61882... Mandiant initially noted that Cl0p abused known and patched vulnerabilities, but added last week that the group also exploited the CVE-2025-61882 zero-day. SOCRadar also wrote that the flaw had been exploited in the wild – Oracle issued a patch for it October 4 – and that a public proof-of-concept exploit had been released.

via security boulevardsecurityboulevard.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
FIN11

A loader named SageGift loads a dropper named SageLeaf, which in turn installs a Java servlet filter named SageWave that enables the threat actor to deploy the final payload.

via security weeksecurityweek.com
TA505

They're using multi-stage Java implants with names like GOLDVEIN, SAGEGIFT, and SAGEWAVE that live entirely in memory and communicate back to C2 servers disguised as TLS handshakes.

via vulnuvulnu.com
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence2

Oracle noted that the vulnerability can be exploited remotely and without authentication, so bad actors could access a network without having to use a username and password.

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence1

The attackers created a malicious template in vulnerable Oracle EBS databases, which stored a payload triggered in the final stage of the exploit chain.

Persistence

1 technique
T1505Server Software ComponentEvidence1

A loader named SageGift loads a dropper named SageLeaf, which in turn installs a Java servlet filter named SageWave that enables the threat actor to deploy the final payload.

Stealth

1 technique
T1027.011Fileless StorageEvidence1

GoldVein, SageGift, SageLeaf, and SageWave have been described as sophisticated, multi-stage, fileless malware that can evade file-based detection.

Command and Control

1 technique
T1104Multi-Stage ChannelsEvidence1

The second payload delivered through malicious templates is actually a “nested chain of multiple Java payloads”. A loader named SageGift loads a dropper named SageLeaf, which in turn installs a Java servlet filter named SageWave that enables the threat actor to deploy the final payload.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
the hacker newsNews
Oct 13, 2025
⚡ Weekly Recap: WhatsApp Worm, Critical CVEs, Oracle 0-Day, Ransomware Cartel & More

Malware family dropped as a payload in Oracle EBS exploitation campaigns, likely involved in data exfiltration or further compromise.

Read more
security boulevardNews
Oct 13, 2025
Oracle Warns of New EBS Vulnerability That Allows Remote Access

Malware used to establish persistent access to compromised networks and systems in the Oracle E-Business Suite attacks.

Read more
securityaffairsNews
Oct 13, 2025
Google, Mandiant expose malware and zero-day behind Oracle EBS extortion

Malicious Java servlet filter used for persistence/backdoor behavior in the SAGE chain; installs an AES-encrypted ZIP containing Java classes (final payload not directly observed). Some variants gate execution on a specific X-ORACLE-DMS-ECID header and filtered HTTP paths.

Read more
the hacker newsNews
Oct 10, 2025
CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw

SAGEWAVE is a malicious Java servlet filter/backdoor that enables the installation of additional malware via encrypted ZIP archives.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.