ShinyHunters Data Extortion Group Compromises Over 100 Organizations Using Oracle PeopleSoft Zero-Day Vulnerability

Executive Summary

The financially motivated threat group ShinyHunters has been identified as the actor behind a widespread campaign exploiting a zero-day vulnerability in Oracle PeopleSoft. The critical flaw, CVE-2026-35273, is an unauthenticated remote code execution (RCE) vulnerability with a CVSS score of 9.8. Between late May and early June 2026, the group used this exploit to breach over 100 organizations globally before a patch was available. A joint report from Mandiant and Google's Threat Intelligence Group revealed that the campaign disproportionately targeted the higher education sector, which accounted for 68% of victims, primarily in the United States. The University of Nottingham has been publicly named as a victim. In response to active exploitation, CISA has added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, demanding federal agencies remediate by June 15, 2026.

Threat Overview

• Threat Actor: ShinyHunters (also tracked as UNC6240)
• Targeting: Over 100 organizations, with a heavy focus on higher education (68%), primarily in the U.S. and U.K.
• Attack Vector: Exploitation of a zero-day RCE vulnerability, CVE-2026-35273, in Oracle PeopleSoft Enterprise PeopleTools.
• Objective: Initial access for data theft and extortion. The group exfiltrates sensitive data and posts it on their data leak site to pressure victims into paying.
• Timeline: Attacks were observed between May 27 and June 9, 2026. Oracle released a security alert on June 10, and CISA added the CVE to its KEV list on June 12.

Technical Analysis

The core of the attack is the exploitation of CVE-2026-35273. This vulnerability in Oracle PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62) allows an unauthenticated attacker with network access to the system to execute arbitrary code, leading to a complete takeover.

MITRE ATT&CK TTPs

• T1190 - Exploit Public-Facing Application: ShinyHunters used the zero-day exploit against internet-facing Oracle PeopleSoft instances to gain initial access.
• T1071.001 - Web Protocols: The attackers used customized MeshCentral agents for command and control (C2), communicating over standard web protocols to disguise their traffic.
• T1105 - Ingress Tool Transfer: After gaining access, the attackers downloaded their post-exploitation toolkits, including the MeshCentral agents.
• T1567 - Exfiltration Over Web Service: The group exfiltrated large volumes of data (e.g., 40 GB from the University of Nottingham) to be used for extortion.
• T1048 - Exfiltration Over Alternative Protocol: The use of MeshCentral, a remote management tool, for C2 and data staging can be considered an alternative protocol for exfiltration.

Mandiant's analysis noted the use of customized MeshCentral agents, an open-source remote management tool. By disguising these agents as legitimate cloud endpoints, ShinyHunters could maintain persistence and execute commands stealthily.

Impact Assessment

The impact on affected organizations, particularly universities, is severe. PeopleSoft systems often serve as the central hub for student information systems (SIS), human resources (HR), and financial data. A successful breach can lead to:

• Massive Data Theft: Exfiltration of sensitive personally identifiable information (PII) for students, faculty, and staff, including names, addresses, financial details, and academic records.
• Extortion Demands: ShinyHunters is a data extortion group, meaning they will demand payment to prevent the public release of stolen data.
• Regulatory Fines: Breaches involving student or employee data can lead to significant fines under regulations like GDPR or state-level privacy laws.
• Reputational Damage: A public breach can severely damage an institution's reputation, affecting student enrollment and trust.
• Operational Disruption: Remediation efforts can be costly and time-consuming, potentially disrupting core administrative functions.

IOCs — Directly from Articles

No specific Indicators of Compromise (IPs, domains, hashes) were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to identify potentially compromised PeopleSoft systems:

Detection & Response

1. Prioritize Patching: Immediately apply the risk reduction measures provided by Oracle for CVE-2026-35273. Given it's a KEV, this should be treated as an emergency.
2. Hunt for Compromise: Proactively hunt for signs of compromise on all PeopleSoft servers, focusing on the period from late May 2026 onwards. Use the observables above as a starting point.
3. Network Monitoring (D3-NTA: Network Traffic Analysis): Scrutinize all outbound network connections from PeopleSoft servers. Block and alert on any connections to unknown or suspicious domains, especially those related to remote access tools like MeshCentral.
4. Log Review: Analyze web server access logs for PeopleSoft front-end servers, looking for unusual URL requests or patterns that might indicate exploit attempts.

Mitigation

1. Apply Oracle's Mitigations: Follow Oracle's guidance to remediate CVE-2026-35273. This is the most critical step. (D3-SU: Software Update)
2. Restrict Access: Limit network access to PeopleSoft systems. If possible, they should not be directly exposed to the internet. Use a Web Application Firewall (WAF) to filter and monitor traffic. (D3-ITF: Inbound Traffic Filtering)
3. Egress Filtering: Implement strict outbound network traffic rules (egress filtering) for servers hosting PeopleSoft, allowing connections only to known-good, required destinations. This can prevent C2 communication and data exfiltration. (D3-OTF: Outbound Traffic Filtering)
4. Principle of Least Privilege: Ensure that the service accounts running PeopleSoft applications have the minimum necessary privileges to function, limiting the potential impact of an RCE. (D3-UAP: User Account Permissions)