Blog Details

Envoy Air, a regional airline provider owned by American Airways, confirms that facts used to be compromised from its Oracle E-Trade Suite utility after the Clop extortion gang listed American Airways on its facts leak attach.

“We are aware of the incident involving Envoy’s Oracle E-Business Suite application,” Envoy Air advised BleepingComputer.

“Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised.”

Envoy Air is a subsidiary of American Airways and operates regional flights below the American Eagle imprint. Whereas it functions as a separate company, it is integrated into American’s community for ticketing, scheduling, and passenger provider.

The Clop ransomware gang is now leaking what they train to be the tips stolen from Envoy on its facts leak attach, stating, “The company doesn’t care about its customers, it ignored their security!!!”

This original security incident is expounded to an August facts theft campaign conducted by the Clop extortion community, which started emailing extortion demands to firms in September, claiming to trust stolen facts from Oracle E-Trade Suite systems.

Whereas Oracle at first acknowledged that the menace actors had been exploiting vulnerabilities patched in July, the company later disclosed that the extortion gang exploited a nil-day flaw tracked as CVE-2025-61882 within the attacks.

CrowdStrike and Mandiant later revealed that Clop exploited the flaws in early August to breach systems and deploy malware.

Whereas Clop wouldn’t share how many firms had been impacted by the tips theft attacks, Google’s John Hultquist advised BleepingComputer through email that they think that dozens of organizations had been affected.

The Clop gang can be extorting Harvard University as section of this same facts theft campaign, with the college confirming to BleepingComputer that the incident impacts a “limited number of parties associated with a small administrative unit.”

Remaining week, Oracle silently patched one more E-Trade Suite zero-day tracked CVE-2025-61884 with out disclosing that it used to be actively exploited in July 2025. 

This zero-day is linked to an exploit leaked by the Shining Lapsus$ Hunters extortion community on Telegram.

American Airways previously suffered facts breaches in 2022 and 2023 that uncovered workers’ deepest facts.

Private eye Who’s Clop?

The Clop ransomware operation, also tracked as TA505, Cl0p, and FIN11, launched in 2019 when it started breaching company networks to deploy a variant of the CryptoMix ransomware and rob facts.

Since 2020, the extortion gang shifted from essentially ransomware to exploiting zero-day vulnerabilities in stable file switch or facts storage platforms to rob facts.

A pair of of their attacks utilizing zero-day flaws encompass:

• 2020: Exploiting a zero-day within the Accellion FTA platform, affecting almost 100 organizations.
• 2021: Exploiting a zero-day in SolarWinds Serv-U FTP instrument.
• 2023: Exploiting a zero-day within the GoAnywhere MFT platform, breaching over 100 firms.
• 2023: Exploiting a zero-day in MOVEit Transfer used to be Clop’s most in depth campaign so some distance, where a nil-day exploit allowed facts theft from 2,773 organizations worldwide.
• 2024: Exploited two Cleo file switch zero-days (CVE-2024-50623 and CVE-2024-55956) to rob facts and extort firms.

The U.S. Command Department currently provides a $10 million reward for facts linking Clop’s ransomware actions to a foreign authorities.