ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit

Author: Mandiant / Google Threat Intelligence Group (GTIG)
Published: June 11, 2026
Source: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit

Summary

Mandiant and the Google Threat Intelligence Group report a zero-day exploitation and extortion campaign by ShinyHunters (tracked as UNC6240) against Oracle PeopleSoft environments, running from May 27 to June 9, 2026. The actor exploited CVE-2026-35273, a critical (CVSS 9.8) unauthenticated remote code execution flaw in PeopleSoft Environment Management, before Oracle published its advisory on June 10, 2026. The campaign disproportionately hit the higher-education sector (about 68% of identified victims, mostly in the United States), with stolen data published on ShinyHunters’ data leak site for extortion. GTIG notified 100+ exposed organizations globally.

Technical Details

According to the report, CVE-2026-35273 is an unauthenticated RCE vulnerability reachable through Oracle PeopleSoft Environment Management Hub (PSEMHUB) endpoints, with related exposure around the Environment Management component and the Integration Broker listening connector (/PSIGW/HttpListeningConnector). Exploitation required no authentication and yielded code execution on PeopleSoft application servers.

At a defensive level, the post describes the following attacker workflow (specific exploit payloads and the lateral-movement script are intentionally not reproduced here):

• Initial access: unauthenticated exploitation of the vulnerable PSEMHUB endpoints for RCE.
• Persistence / C2: deployment of pre-configured MeshCentral remote-management agents (MeshCentral v1.1.59, installed May 27, 2026), hardcoded to reach a command-and-control domain over WSS on port 443.
• Reconnaissance: enumeration of PeopleSoft configuration, mounted/shared storage, and host tables to map internal systems.
• Lateral movement: SSH credential spraying across discovered internal hosts, accompanied by deployment of a defacement/extortion marker file.
• Exfiltration: compression of staged data and transfer over an SSH tunnel to an attacker-controlled mirror host.

CVE: CVE-2026-35273.
CVSS: 9.8 (critical).
Affected: Oracle PeopleSoft — Environment Management / Environment Management Hub (PSEMHUB). The report frames exposure in terms of internet-reachable PSEMHUB and Integration Broker endpoints; consult Oracle’s advisory for affected/fixed version specifics.

Impact

Successful exploitation gave the actor unauthenticated code execution on PeopleSoft servers, followed by internal reconnaissance, lateral movement, and theft of organizational data used for extortion. ShinyHunters published stolen data on its data leak site on June 9, 2026. The campaign was first surfaced publicly the same day when open attacker directories were spotted by researcher @nahamike01. Attribution in the report is to UNC6240 (ShinyHunters); the primary victim profile is higher-education institutions, predominantly in the United States.

Selected indicators of compromise (from the report):

• Staging server IPs: 142.11.200.186–190.
• C2 domain: azurenetfiles.net (masquerading as Microsoft Azure NetApp Files), C2 path wss://azurenetfiles.net:443/agent.ashx.
• Data-leak-site mirror host: 176.120.22.24.
• MeshCentral agent SHA-256 hashes: c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f, f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc, d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f, 68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309.
• Extortion marker filename: README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.

Mitigation

Per Oracle and GTIG guidance summarized in the report:

• Apply Oracle’s security update for CVE-2026-35273 (Oracle Security Alert, June 10, 2026) and stay on actively supported PeopleSoft versions.
• Restrict or block external access to the affected endpoints — /PSEMHUB/*, /PSEMHUB/hub, and /PSIGW/HttpListeningConnector — and, where possible, disable the EMHub service (multi-server) or remove the PSEMHUB application (single-server).
• Hunt for compromise: review WebLogic access logs for requests to the PSEMHUB/Integration Broker endpoints, search for unexpected JSP webshells under the PSEMHUB web application, and look for the IOCs above and recently modified environment metadata.
• Monitor network telemetry for anomalous outbound connections and C2 patterns, and block/alert on the listed indicators.

References

• ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
• Oracle Security Alert Advisory — CVE-2026-35273
• GTI VirusTotal IOC collection (registered users)
• @nahamike01 — initial public disclosure of open attacker directories
• GTIG — Seeking Counsel: targeted campaign against US law firms
• GTIG — Exploitation of KnowledgeDeliver via ViewState deserialization
• GTIG — 2 PhaaS 2 Furious: Chinese-language phishing services
• GTIG — Welcome to BlackFile: vishing extortion operation