GOLDVEIN
GOLDVEIN is a downloader/dropper malware family observed in Oracle E-Business Suite exploitation campaigns in 2025 that were assessed to bear hallmarks of the Cl0p/FIN11 ecosystem. The provided reporting describes GOLDVEIN as part of at least two distinct Java payload chains alongside SAGEGIFT, SAGELEAF/SafeLeaf, and SAGEWAVE. A Java variant, GOLDVEIN.JAVA, is specifically described as a downloader that can receive a second-stage payload from a command-and-control server. In the campaign, the implants were reported to live entirely in memory and communicate with C2 using traffic disguised as TLS handshakes. GOLDVEIN.JAVA was launched in the context of exploitation of Oracle E-Business Suite, including abuse of the /OA_HTML/SyncServlet component and XSL template injection, and bash processes launched by GOLDVEIN.JAVA were used for reconnaissance. The content also states that GOLDVEIN was previously known as a PowerShell malware first detected in December 2024 in connection with exploitation of multiple Cleo software products. High-confidence associations in the content link GOLDVEIN to data-theft and extortion activity affecting Oracle E-Business Suite customers, with overlaps noted to malware used in prior FIN11 campaigns. No standalone indicators of compromise such as hashes, domains, or IPs are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
As with the zero-day vulnerability announced by Oracle last week – tracked as CVE-2025-61882... Mandiant initially noted that Cl0p abused known and patched vulnerabilities, but added last week that the group also exploited the CVE-2025-61882 zero-day. SOCRadar also wrote that the flaw had been exploited in the wild – Oracle issued a patch for it October 4 – and that a public proof-of-concept exploit had been released.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
They're using multi-stage Java implants with names like GOLDVEIN, SAGEGIFT, and SAGEWAVE that live entirely in memory and communicate back to C2 servers disguised as TLS handshakes.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A dropper malware family observed in the Oracle E-Business Suite attack chains.
GOLDVEIN is a downloader malware, originally a PowerShell script, now also seen as a Java variant, used to fetch and execute second-stage payloads from a C2 server.
Multi-stage Java in-memory implant used in the Oracle E-Business Suite exploitation/extortion activity; stored in the EBS database and communicates to C2 while masquerading as TLS handshakes.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.