Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 1 actorExploits 1 CVE

SAGELEAF

SAGELEAF is an in-memory Java dropper used in a multi-stage, fileless malware chain observed in Oracle E-Business Suite (EBS) intrusions tied to exploitation of CVE-2025-61882 and related Oracle EBS weaknesses. In the observed SAGE chain, a Base64-encoded reflective loader named SAGEGIFT launches SAGELEAF, which then installs SAGEWAVE, a malicious Java servlet filter that enables deployment of a final payload that researchers were unable to recover. Reporting describes SAGELEAF as an in-memory dropper with logging, and the broader SAGEGIFT → SAGELEAF → SAGEWAVE chain as sophisticated, multi-stage, fileless malware designed to evade file-based detection. The malware was embedded in malicious XSL payloads/templates used during exploitation of Oracle EBS, including abuse of XML Publisher template functionality. The campaign affected dozens of organizations and involved data theft and extortion emails using the Cl0p name. Google Threat Intelligence Group and Mandiant did not definitively attribute the activity, but identified links and malware overlaps with FIN11; other reporting noted hallmarks associated with Cl0p/Graceful Spider. The malware was used against Internet-exposed Oracle E-Business Suite environments rather than broad consumer endpoints. High-confidence related malware in the same campaign includes GOLDVEIN.JAVA, SAGEGIFT, and SAGEWAVE.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-61882Unauthenticated RCE in Oracle E-Business Suite Concurrent Processing BI Publisher IntegrationExploited in the wild

A loader named SageGift loads a dropper named SageLeaf, which in turn installs a Java servlet filter named SageWave that enables the threat actor to deploy the final payload. | It has since been determined that hackers likely exploited known EBS vulnerabilities patched in July, likely along with a zero-day flaw tracked as CVE-2025-61882. The hacker groups ShinyHunters and Scattered Spider ... have published a proof-of-concept (PoC) exploit that appears to target CVE-2025-61882 ... according to Oracle, CVE-2025-61882 allows unauthenticated remote code execution. CrowdStrike has found evidence that exploitation of CVE-2025-61882 started on August 9.

via security weeksecurityweek.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
FIN11

A loader named SageGift loads a dropper named SageLeaf, which in turn installs a Java servlet filter named SageWave that enables the threat actor to deploy the final payload.

via security weeksecurityweek.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1

It has since been determined that hackers likely exploited known EBS vulnerabilities patched in July, likely along with a zero-day flaw tracked as CVE-2025-61882.

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence1

The attackers created a malicious template in vulnerable Oracle EBS databases, which stored a payload triggered in the final stage of the exploit chain.

Stealth

1 technique
T1027.011Fileless StorageEvidence1

GoldVein, SageGift, SageLeaf, and SageWave have been described as sophisticated, multi-stage, fileless malware that can evade file-based detection.

Command and Control

1 technique
T1104Multi-Stage ChannelsEvidence1

The second payload delivered through malicious templates is actually a “nested chain of multiple Java payloads”. A loader named SageGift loads a dropper named SageLeaf, which in turn installs a Java servlet filter named SageWave that enables the threat actor to deploy the final payload.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Oct 13, 2025
⚡ Weekly Recap: WhatsApp Worm, Critical CVEs, Oracle 0-Day, Ransomware Cartel & More

Malware family dropped as a payload in Oracle EBS exploitation campaigns, likely involved in data exfiltration or further compromise.

Read more
securityaffairsNews
Oct 13, 2025
Google, Mandiant expose malware and zero-day behind Oracle EBS extortion

In-memory dropper stage (with logging) in the SAGE infection chain used in Oracle EBS exploitation.

Read more
the hacker newsNews
Oct 10, 2025
CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw

SAGELEAF is an in-memory dropper used to install SAGEWAVE, facilitating further malware deployment on compromised systems.

Read more
security weekNews
Dec 3, 2025
Sophisticated Malware Deployed in Oracle EBS Zero-Day Attacks

A dropper in the Oracle EBS malware chain that installs SageWave, facilitating deployment of the final payload. It is part of a sophisticated, multi-stage, fileless Java malware framework.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.