Mandiant and Google Threat Intelligence Group (GTIG) have issued a critical warning after identifying an active compromise-and-extortion campaign targeting Oracle PeopleSoft infrastructure, attributed to the notorious threat actor UNC6240, also known as ShinyHunters.<\/p>\n
The campaign exploited CVE-2026-35273<\/a>, a critical unauthenticated remote code execution (RCE) vulnerability with a CVSS score of 9.8, as a zero-day before Oracle published its advisory on June 10, 2026.<\/p>\n The malicious activity was observed between May 27 and June 9, 2026, with attacks targeting the Environment Management Hub (PSEMHUB) component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62.<\/p>\n Google Threat Intelligence Group notified over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints, with 68% of victims concentrated in the higher education sector, including universities and colleges worldwide.<\/p>\n The University of Nottingham confirmed unauthorized activity on its systems, with reports indicating approximately 40 gigabytes of stolen data, including student records, financial aid data, health records, and immigration details.<\/p>\n GTIG triaged five sequential attacker-controlled staging IP addresses<\/a>, 142.11.200.186 through 142.11.200.190, each hosting a Python SimpleHTTP server on port 8888.<\/p>\n These exposed directory contents included attacker command histories, staging materials, and pre-configured MeshCentral remote management agents.<\/p>\n The Windows agent binaries were disguised as legitimate Microsoft Azure services ( The attackers established their staging environment on May 27, 2026, at 22:14 UTC by installing MeshCentral v1.1.59, followed at 22:25 UTC by the Using the Lateral movement was automated via a custom propagation script Upon successful authentication, the script dropped a defacement and extortion marker file Exfiltrated data was compressed using Organizations are strongly advised to apply Oracle\u2019s emergency advisory for CVE-2026-35273 and remain on actively supported PeopleSoft versions with all Critical Patch Updates applied without delay.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nOracle PeopleSoft 0-Day RCE Vulnerability<\/strong><\/h2>\n
meshagent32-azure-ops.exe<\/code>, meshagent64-azure-ops.exe<\/code>, meshagent64-v2.exe<\/code>) and hardcoded to establish C2 communications with wss:\/\/azurenetfiles.net:443\/agent.ashx<\/code> \u2014 a domain crafted to mimic legitimate Microsoft Azure NetApp Files endpoints.<\/p>\nacme-client<\/code> npm package to automate Let\u2019s Encrypt SSL certificate provisioning for the masquerading domain.<\/p>\nmeshctrl.js<\/code> CLI, they executed targeted reconnaissance commands on compromised hosts, mapping Oracle PeopleSoft configurations by inspecting psappsrv.cfg<\/code>, auditing active NFS mounts, and reading WebLogic config.xml<\/code> files to map internal application servers.<\/p>\n[victim_abbreviation]_fanout.sh<\/code> deployed to \/tmp<\/code>, which performed SSH credential spraying against internal hosts parsed from \/etc\/hosts<\/code>.<\/p>\nREADME-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT<\/code> into WebLogic and Process Scheduler directories.<\/p>\nzstd<\/code> before the attackers established an outbound SSH connection to 176.120.22.24, the IP hosting the public mirror of the ShinyHunters Data Leak Site (DLS). Stolen data archives were published on the DLS on June 9, 2026.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/storage.googleapis.com\/gweb-cloudblog-publish\/images\/peoplesoft-shinyhunters.max-1700x1700.png?resize=1700%2C1700&ssl=1\")
Key IOCs<\/h2>\n
\n\n
\n \nIndicator<\/th>\n Type<\/th>\n Description<\/th>\n<\/tr>\n<\/thead>\n \n 142.11.200.186\u2013.190<\/td>\n IP Addresses<\/td>\n Attacker staging servers<\/td>\n<\/tr>\n \n azurenetfiles.net<\/code><\/td>\nDomain<\/td>\n C2 masquerading domain<\/td>\n<\/tr>\n \n meshagent64-azure-ops.exe<\/code><\/td>\nSHA-256: f02a924c...<\/code>\n<\/td>\nPre-configured Windows agent<\/td>\n<\/tr>\n \n meshagent32-azure-ops.exe<\/code><\/td>\nSHA-256: c7e93327...<\/code>\n<\/td>\nPre-configured Windows agent<\/td>\n<\/tr>\n \n .bash_history<\/code><\/td>\nSHA-256: 2ab684d9...<\/code>\n<\/td>\nAttacker command history<\/td>\n<\/tr>\n \n README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT<\/code><\/td>\nFilename<\/td>\n Extortion marker<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n