MalwareRansomwareUsed by 2 actors

GOLDTOMB

GOLDTOMB is a FIN11-associated backdoor referenced in reporting on 2025 Oracle E-Business Suite (EBS) exploitation and extortion activity. The analyzed Oracle EBS campaign reused CL0P contact emails and showed technical links to GOLDVEIN.JAVA and GOLDTOMB malware previously used by FIN11/UNC5936 during Cleo MFT exploits in 2024. Researchers also noted that the main payload in the Oracle EBS intrusion chain had overlaps with a CLI module present in GOLDTOMB. These overlaps, together with reuse of the CL0P extortion brand and one compromised account previously linked to FIN11, were cited as indicators of association, although reporting did not make a definitive attribution. High-confidence details in the provided content do not describe GOLDTOMB’s full infection vector or complete functionality beyond identifying it as a FIN11 backdoor with code overlap to the observed payloads.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

FIN11

The campaign reused CL0P contact emails and showed technical links to GOLDVEIN.JAVA and GOLDTOMB malware used by FIN11/UNC5936 during Cleo MFT exploits in 2024.

via securityaffairssecurityaffairs.com

UNC5936

The campaign reused CL0P contact emails and showed technical links to GOLDVEIN.JAVA and GOLDTOMB malware used by FIN11/UNC5936 during Cleo MFT exploits in 2024.

via securityaffairssecurityaffairs.com

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

securityaffairsNews

Oct 13, 2025

Google, Mandiant expose malware and zero-day behind Oracle EBS extortion

Referenced as malware previously used by FIN11/UNC5936 in 2024 Cleo MFT exploitation; this reporting notes technical links/overlap with the Oracle EBS campaign but does not describe functionality here.

the hacker newsNews

Oct 10, 2025

CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw

GOLDTOMB is a backdoor associated with FIN11, used for persistent access and command execution on compromised systems.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.