Google's Mandiant and Google Threat Intelligence Group (GTIG) say the ShinyHunters extortion group exploited a critical Oracle PeopleSoft vulnerability as a zero-day to compromise education institutions.
The activity, tracked as UNC6240, was observed between May 27 and June 9 and involved exploitation of CVE-2026-35273, a critical remote code execution flaw in the Environment Management component of Oracle PeopleSoft. Oracle disclosed the vulnerability on June 10, assigning it a CVSS score of 9.8 and warning that it can be exploited remotely without authentication.
According to Google, the attacks specifically targeted PeopleSoft Environment Management Hub (PSEMHUB) endpoints. After detecting active exploitation, the company notified more than 100 organizations whose systems appeared exposed to the vulnerability. Most were based in the United States, and 68% belonged to the higher education sector.
The investigation expanded after publicly accessible attacker staging servers were discovered online, allowing researchers to examine the group's infrastructure and tooling. Mandiant found customized MeshCentral remote management agents disguised as Microsoft Azure-related services, including binaries named meshagent32-azure-ops.exe and meshagent64-azure-ops.exe.
The malware was configured to communicate with azurenetfiles.net, a domain that resembles Microsoft's Azure NetApp Files service, a common tactic used to make malicious infrastructure appear legitimate.
Analysis of exposed command histories showed the attackers performing reconnaissance within compromised environments by reviewing Oracle PeopleSoft configuration files, inspecting WebLogic server settings, mapping internal hosts, and identifying network-mounted resources. Researchers also observed the threat actors compressing stolen data before connecting to infrastructure associated with the ShinyHunters data leak site.
Mandiant also discovered a custom lateral movement script, named with a victim-specific abbreviation followed by _fanout.sh, that automated the distribution of extortion notes across compromised PeopleSoft environments. The script parsed internal host information, attempted SSH authentication using hardcoded credentials, and copied a file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT to additional systems.
The activity directly correlates with several organizations subsequently appearing on the ShinyHunters data leak site. One potential victim is the University of Nottingham, which confirmed this week that attackers accessed data stored in its student record system after the institution was listed by ShinyHunters.
The university said a “significant amount of data” was accessed and that a forensic investigation is underway. The threat group claimed to have stolen more than 40 GB of records, including student finance information, billing data, and administrative documents spanning the university's campuses in the UK, Malaysia, and China.
Oracle's security alert states that CVE-2026-35273 affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. The company recommends immediately implementing available mitigations and restricting access to vulnerable Environment Management components.
Mandiant advises organizations to disable the Environment Management Hub service where possible, block external access to PSEMHUB endpoints, review WebLogic access logs for suspicious requests, and inspect PeopleSoft servers for unauthorized JSP files, unexpected directories, and other indicators of compromise.
Leave a Reply