Cyber Threat Radar – A new American Airlines data breach has emerged, this time through Envoy Air, its largest regional subsidiary. The attack is part of a wider campaign by the Clop ransomware group targeting Oracle E-Business Suite vulnerabilities.
While the airline confirmed that no customer financial or sensitive personal data was exposed, Clop has begun leaking stolen commercial contact data on the dark web. According to cybersecurity researchers, the breach is tied to a previously undisclosed zero-day vulnerability tracked as CVE-2025-61882. This flaw was exploited in active attacks before Oracle issued a patch.
Envoy Air relies on Oracle systems for core business functions. Once compromised, attackers gained access to internal business data—though not passenger records. Still, the breach raises concerns due to the tight integration between Envoy and American Airlines. These systems handle everything from scheduling and ticketing to customer management.
Envoy acted swiftly. The company launched an investigation, notified law enforcement, and implemented containment measures. But this incident follows a series of breaches at American Airlines in 2022 and 2023, which affected employee information. It underscores a pattern of vulnerabilities in airline systems, particularly those tied to third-party enterprise applications.
The Broader Threat Behind the American Airlines Data Breach
The Clop ransomware group has become known for exploiting zero-day flaws in enterprise platforms. Their targets extend across finance, logistics, and now aviation. Since 2019, Clop has moved from traditional ransomware to advanced breach-and-leak campaigns, including:
- 2020: Accellion FTA zero-day attack
- 2023: MOVEit Transfer zero-day breach affecting over 2,700 organizations
- 2024: Exploits in Cleo file transfer platforms
With each campaign, the group adapts its approach, weaponizing critical vulnerabilities before patches are available. In this latest American Airlines data breach, Clop appears to have used leaked exploit code allegedly shared by the Shiny Lapsus$ Hunters group.
This evolution in ransomware tactics shows how attackers now rely on the intersection of enterprise software and third-party access. For airlines and similar industries that depend on interconnected IT systems, these attacks are both damaging and difficult to contain.
The Emerging Risk of AI-Powered Malware
While Clop has not confirmed using AI-powered tools in this breach, cybersecurity analysts warn that threat actors increasingly use AI-based malware. These tools do not rely solely on file access. Instead, they take real-time screenshots, use OCR to extract text from those images, and convert that into structured data via JSON.
This process allows attackers to bypass conventional controls and exfiltrate sensitive data shown on screen—even if it never enters a file system.
As airlines rely heavily on browser-based dashboards, scheduling tools, and customer service portals, they face growing exposure to this method of attack.
How SentryBay Helps Neutralise These Threats
SentryBay’s Armored Client offers proven protection against AI-powered malware threats targeting the screen layer. It blocks screenshot malware by blacking out sensitive on-screen data before it can be captured. OCR tools are left with blank images, and JSON extraction becomes impossible.
Additionally, Armored Client randomizes keystrokes, rendering keyloggers ineffective even when malware is active on the endpoint.
“In an environment where every screen and keystroke can be weaponised, organisations need proactive protection,” said Paul Gilbert, cybersecurity executive at SentryBay. “The Armored Client defends where traditional tools fall short.”
As the aviation sector braces for more sophisticated attacks, endpoint visibility and zero-trust measures are no longer optional. Tools like Armored Client address this new class of exfiltration threats head-on.
