Executive Summary
Between late May and early June 2026, the notorious threat actor group ShinyHunters executed a highly coordinated cyberattack campaign targeting the higher education sector by exploiting a previously unknown zero-day vulnerability in Oracle PeopleSoft. This vulnerability, tracked as CVE-2026-35273, enabled unauthenticated remote code execution (RCE) via the PeopleSoft Environment Management Hub (PSEMHUB) component. The exploitation allowed attackers to gain full control over affected systems, resulting in widespread data theft, extortion, and public data leaks. Over 100 organizations were impacted, with approximately 68% being academic institutions in the United States. The campaign demonstrates the increasing sophistication of threat actors in leveraging zero-day vulnerabilities against critical enterprise applications and highlights the urgent need for robust vulnerability management and incident response capabilities.
Threat Actor Profile
ShinyHunters is a prolific financially motivated cybercriminal group, first emerging in 2020 and known for high-profile data breaches, extortion, and the sale of stolen data on underground forums and dedicated leak sites. The group operates with a hybrid model, combining ransomware-style extortion with data theft and public shaming. ShinyHunters is characterized by rapid exploitation of newly discovered vulnerabilities, advanced lateral movement techniques, and a preference for targeting sectors with high-value personal and financial data, such as education, healthcare, and retail. Their operations are marked by the use of custom tooling, obfuscation, and a willingness to exploit zero-day vulnerabilities, as evidenced in this campaign against Oracle PeopleSoft.
Technical Analysis of Malware/TTPs
The attack chain initiated with the identification of internet-exposed PeopleSoft instances, specifically those running vulnerable versions of the PSEMHUB component. The attackers exploited CVE-2026-35273, a critical RCE flaw resulting from missing authentication checks in the PSEMHUB HTTP endpoints. By sending crafted POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector, the attackers achieved arbitrary code execution as the application user.
Upon successful exploitation, ShinyHunters deployed a customized variant of the MeshCentral remote access tool, masquerading as legitimate Azure services. The malicious agents communicated with a command-and-control (C2) infrastructure hosted at azurenetfiles.net over WebSocket Secure (wss://azurenetfiles.net:443/agent.ashx). The attackers used the MeshCentral CLI (meshctrl.js) for host enumeration, credential harvesting, and internal reconnaissance, extracting sensitive configuration files such as psappsrv.cfg and config.xml to map the internal network and identify further targets.
For lateral movement, the attackers leveraged a propagation script named [victim_abbreviation]_fanout.sh, which performed SSH credential spraying using common administrative and application credentials. Successful lateral movement was marked by the creation of a defacement and extortion notice file, README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT, on compromised hosts. Data exfiltration was accomplished by compressing stolen files with zstd and transferring them via SSH to attacker-controlled infrastructure. The stolen data was subsequently published on the ShinyHunters Data Leak Site (DLS), amplifying the impact and pressuring victims to pay extortion demands.
Key technical indicators include the presence of unauthorized .jsp files in <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/, suspicious directories such as logs, persistantstorage, and scratchpad under PSEMHUB paths, and recently modified .xml files in <docroot>/envmetadata/data/environment/. Network indicators include outbound connections to the C2 domain and IPs, as well as anomalous SSH and SMB traffic from PeopleSoft servers.
Exploitation in the Wild
The exploitation campaign unfolded rapidly, with ShinyHunters scanning for and compromising vulnerable PeopleSoft instances across the globe. The majority of victims were higher education institutions in the United States, but the campaign also affected universities and colleges in other regions. Attackers publicized their activities on social media and underground forums, sharing proof of compromise and taunting victims. The use of a zero-day exploit allowed ShinyHunters to bypass traditional security controls and achieve initial access before any public disclosure or patch was available from Oracle.
Victims reported widespread system outages, unauthorized access to sensitive student and faculty data, and the presence of extortion notes on critical servers. The attackers' use of legitimate remote management tools and encrypted C2 channels complicated detection and response efforts. In several cases, data exfiltration was detected only after the publication of stolen information on the ShinyHunters DLS. The campaign underscores the importance of proactive threat hunting, network segmentation, and rapid patch management in defending against advanced persistent threats.
Victimology and Targeting
The primary targets of this campaign were higher education institutions, including universities, colleges, and research organizations. Analysis of public disclosures and underground forum posts indicates that at least 68% of affected organizations were based in the United States, with additional victims in Europe, Asia, and Australia. The attackers focused on institutions running Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, which were confirmed to be vulnerable to CVE-2026-35273.
The motivation behind the targeting appears to be twofold: the high value of personal and financial data stored by educational institutions, and the prevalence of legacy or under-maintained ERP systems in the sector. The attackers demonstrated a deep understanding of PeopleSoft architecture, leveraging internal configuration files to facilitate lateral movement and maximize data theft. Victims included both large research universities and smaller colleges, indicating a broad and opportunistic targeting strategy.
Mitigation and Countermeasures
Organizations running Oracle PeopleSoft should immediately review their exposure to CVE-2026-35273 and take the following actions to mitigate risk:
Restrict or disable external access to PSEMHUB and PSIGW endpoints, following guidance from the official Oracle Security Alert. Audit web server and application logs for suspicious POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector originating from untrusted IP addresses. Conduct file integrity checks to identify unauthorized .jsp files, unexpected directories, and recently modified .xml files within PeopleSoft application paths. Monitor for outbound connections to the C2 domain azurenetfiles.net and associated IP addresses (142.11.200.186 through 142.11.200.190), as well as anomalous SSH and SMB traffic from PeopleSoft servers. Search for the presence of MeshCentral agent binaries and the extortion marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT on all systems. Apply the official Oracle patch for CVE-2026-35273 as soon as it becomes available, and verify that all systems are updated to non-vulnerable versions. Implement network segmentation and least-privilege access controls to limit lateral movement opportunities. Enhance incident response readiness by developing playbooks for ERP compromise scenarios and conducting regular tabletop exercises.
References
Google Cloud Threat Intelligence Blog: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit Oracle Security Alert Advisory - CVE-2026-35273: https://nvd.nist.gov/vuln/detail/CVE-2026-35273 DarkReading: ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed: https://www.darkreading.com/vulnerabilities-threats/shinyhunters-oracle-zero-day-higher-ed TheHackerNews: ShinyHunters Exploits Oracle PeopleSoft Zero-Day: https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html Reddit Cybersecurity Thread: https://www.reddit.com/r/cybersecurity/comments/1u3k5sy/shinyhunters_hacked_100_orgs_by_exploiting_an/ ShinyHunters DLS Post: https://twitter.com/nahamike01/status/2065532237685428430 CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, prioritize remediation, and strengthen their overall security posture. For more information or to discuss how Rescana can help your organization manage cyber risk, we are happy to answer questions at ops@rescana.com.
