Mandiant and Google's Threat Intelligence Group (GTIG) have linked an extortion campaign running from May 27 to June 9, 2026 to the threat actor tracked as UNC6240, publicly known as ShinyHunters. The group exploited CVE-2026-35273, a CVSS 9.8 remote code execution flaw in the Environment Management component of Oracle PeopleSoft PeopleTools, before Oracle published its security advisory on June 10 — confirming the vulnerability was used as a zero-day.
Oracle has since acknowledged that PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 are affected and has released emergency mitigations while a full patch is in preparation. The flaw requires no authentication to exploit and can yield complete remote code execution on vulnerable instances.
- CVE-2026-35273 carries a CVSS base score of 9.8 (critical)
- Affected versions: PeopleSoft Enterprise PeopleTools 8.61 and 8.62
- Activity window: May 27 – June 9, 2026; Oracle advisory issued June 10, 2026
- More than 100 organizations notified; 68% in higher education
- ShinyHunters claims data stolen from 300 instances across those organizations
GTIG researchers identified five sequential staging IPs (142.11.200.186–.190) running Python SimpleHTTP servers on port 8888, which inadvertently exposed attacker tooling, command histories, and prebuilt agent binaries. Those binaries were MeshCentral remote management agents compiled for Windows and disguised as Microsoft Azure services — the executables carried names like meshagent64-azure-ops.exe and were hardcoded to call back to a command-and-control domain, azurenetfiles.net, chosen to mimic legitimate Azure NetApp Files infrastructure. A Let's Encrypt certificate for that domain was provisioned automatically via the acme-client npm package within minutes of the staging server being stood up.
The exposed .bash_history files, identical across all five hosts, gave investigators a detailed timeline of attacker operations. After establishing the C2 environment, the group used MeshCentral's CLI tool to run reconnaissance commands on victim hosts — querying PeopleSoft process scheduler configurations, WebLogic XML files, and internal network mounts. Lateral movement was carried out by a custom shell script, named with a victim-specific abbreviation followed by _fanout.sh, which parsed internal hostnames, attempted SSH credential spraying using hardcoded username-password pairs, and deposited a ransom-note file (README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT) into WebLogic and Process Scheduler directories. Exfiltrated data was compressed with zstd before the staging host connected outbound to 176.120.22.24, the server hosting the public ShinyHunters data leak site.
Data from compromised organizations appeared on that leak site on June 9, 2026 — the same day open attacker directories were publicly flagged by researcher @nahamike01 on X, prompting GTIG's detailed triage.
ShinyHunters confirmed to BleepingComputer that they are responsible, describing the attack chain as a combination of older vulnerabilities and the new zero-day. The group has previously been connected to large-scale breaches of Snowflake-hosted data and Salesforce environments, as well as a recent intrusion at Instructure Canvas that reportedly led to a ransom payment.
For professionals:
PeopleSoft administrators should immediately block external access to /PSEMHUB/hub and /PSIGW/HttpListeningConnector at the network perimeter — WAF body-inspection rules alone are insufficient. Audit WebLogic application directories for unexpected .jsp files, check PSEMHUB.war transaction folders for unauthorized binaries, and monitor outbound SMB traffic (TCP 445) from PeopleSoft hosts, as the exploit chain may attempt NetNTLM hash capture via forced outbound connections.
Google SecOps customers will receive detection rules covering PeopleSoft configuration inspection, suspicious JSP writes to PSEMHUB, sshpass-based file deployment, zstd compression activity, and MeshCentral command execution via meshctrl.
Oracle has not publicly confirmed active exploitation in its advisory, but both Mandiant's telemetry and ShinyHunters' own statements corroborate ongoing attacks. Organizations on versions 8.61 or 8.62 should treat mitigation as urgent pending the forthcoming patch.
Automated pipeline · Security
Synthesized from 3 industry feeds on 13 Jun 2026. Passed independent editor verification before publication. Style guide v1.1.
Decision trail
- Checking for duplicates — New story Mandiant reports ShinyHunters exploiting Oracle PeopleSoft CVE-2026-35273 in education sector.
- Checking for duplicates — Duplicate story same-story cluster; write with candidate 24; cluster_primary=24
- Checking for duplicates — Duplicate story same-story cluster; write with candidate 24; cluster_primary=24
- Writing the article — Draft created article_id=1 slug=shinyhunters-exploits-oracle-peoplesoft-zero-day-breaches-100-organizations
-
Editor review — Approved
- Factual grounding: Minor: The article states the five staging IPs were 'running Python SimpleHTTP servers on port 8888' — correct per Source 1. However, Source 1 also names a third Windows agent binary 'meshagent32-azure-ops.exe' alongside the two named in the article. The article mentions 'meshagent64-azure-ops.exe' but omits meshagent32-azure-ops.exe while implying the disguise was limited to that one executable. This is an omission, not an invented fact, so minor.
- Factual grounding: Minor: The article says the Let's Encrypt certificate was provisioned 'within minutes of the staging server being stood up.' Source 1 shows MeshCentral installed at 22:14 UTC and acme-client installed at 22:25 UTC — an 11-minute gap. 'Within minutes' is a reasonable characterisation but slightly imprecise.
- Factual grounding: Minor: The article attributes the public flagging of open directories to researcher '@nahamike01 on X'. Source 1 uses '@nahamike01 on X' and Source 2 calls the person 'cybersecurity researcher "Michael R"'. The article uses only the handle, which is supported, but the discrepancy in name between sources is not noted.
- Factual grounding: Minor: The article describes the Instructure Canvas incident as 'a recent intrusion at Instructure Canvas that reportedly led to a ransom payment.' Source 2 states Instructure paid a ransom after 280 million records were stolen. The article's characterisation is accurate but omits the scale detail. No material inaccuracy.
- No copied phrasing: Minor: The 'For professionals' block closely mirrors the remediation language in Source 1 (e.g., 'block external access to /PSEMHUB/hub and /PSIGW/HttpListeningConnector at the network perimeter — WAF body-inspection rules alone are insufficient'). This is near-verbatim from Source 1's remediation section and approaches the threshold for copied phrasing, though it is in a distinct advisory callout block rather than the main prose.
- Style compliance: Minor: Word count appears to be approximately 700-730 words in the body, which is at or slightly above the 750-word hard maximum and well above the 620-word aim. Borderline but not a clear violation.
- Assigning hero image — Pexels pexels_id=37564547
- Linking related stories — Linked 0 relations from 0 candidates
- Linking related stories — Linked 0 relations from 0 candidates
- Publishing — Published shinyhunters-exploits-oracle-peoplesoft-zero-day-breaches-100-organizations
Discussion · coming soon
Be the first to join the thread when community discussion launches.