Listen to this Post
Introduction
A dangerous new cyber campaign has exposed how quickly unpatched enterprise software can become a gateway for large-scale data theft. Security researchers have linked a series of intrusions targeting organizations worldwide to the notorious ShinyHunters extortion group, which allegedly exploited a previously unknown Oracle PeopleSoft vulnerability before any official patch or public warning existed.
The attacks primarily affected universities and educational institutions, placing hundreds of thousands of students, alumni, and staff members at risk. According to security investigators, the operation demonstrates a significant evolution in ShinyHunters’ tactics, moving beyond social engineering and stolen credentials into sophisticated server-side exploitation. The campaign raises serious concerns for organizations still relying on internet-facing ERP infrastructure and highlights the growing value of educational data within the cybercriminal ecosystem.
Oracle PeopleSoft Zero-Day Becomes a Major Entry Point
Security experts from Google’s Mandiant division have attributed the activity to a threat cluster known as UNC6240, which is believed to be associated with the ShinyHunters extortion operation. Investigators observed active exploitation between May 27 and June 9, while Oracle’s advisory was only published on June 10.
This timing effectively made the vulnerability a zero-day throughout the entire attack window. Organizations had no official warning and no available remediation guidance while attackers were actively exploiting systems.
The flaw, tracked as CVE-2026-35273, received a critical severity rating of 9.8 out of 10. The vulnerability allows remote code execution without requiring user interaction or authentication. An attacker simply needs network access to exposed PeopleSoft services to gain control of vulnerable servers.
For many organizations, particularly universities operating externally accessible PeopleSoft environments, this created an ideal attack surface.
Understanding the Critical Vulnerability
The weakness exists within Oracle PeopleSoft Enterprise PeopleTools, specifically inside the Updates Environment Management component associated with the Environment Management Hub (PSEMHUB).
Oracle confirmed that PeopleTools versions 8.61 and 8.62 are affected. Older unsupported versions are also suspected to be vulnerable, potentially expanding the number of exposed systems worldwide.
What makes this vulnerability particularly dangerous is its simplicity. Unlike many enterprise attacks that require phishing emails, stolen credentials, or insider assistance, this flaw allows direct compromise over HTTP connections. Once exploited, attackers can execute commands, establish persistence, move laterally through networks, and access sensitive databases.
For organizations managing student records, employee information, financial data, and government-related records, the consequences can be devastating.
Attack Infrastructure Accidentally Exposed
One of the most unusual aspects of this investigation emerged when the attackers themselves exposed operational infrastructure.
Researcher @nahamike01 identified publicly accessible directories connected to the operation. This accidental exposure provided investigators with a rare opportunity to examine the tools and techniques used during the campaign.
Mandiant analysts discovered multiple sequential IP addresses operating Python SimpleHTTP servers on port 8888. These servers contained staging materials that revealed extensive details about the attack workflow.
Among the exposed files were shared command histories, customized MeshCentral remote administration agents disguised as Microsoft Azure components, and scripts specifically designed for lateral movement inside compromised environments.
The incident highlights how even sophisticated threat actors can make operational security mistakes that ultimately assist investigators.
Fake Azure Infrastructure Used for Command and Control
Investigators discovered that compromised systems communicated with a command-and-control domain named azurenetfiles.net.
The domain was intentionally crafted to resemble
This type of infrastructure impersonation has become increasingly common among advanced cybercriminal groups. By mimicking trusted cloud services, attackers can blend malicious traffic into normal enterprise network activity.
Such deception significantly complicates detection efforts, especially within large organizations where cloud-related traffic is constant and expected.
Lateral Movement and Internal Expansion
The attackers deployed a script identified as “[victim]_fanout.sh” to expand access throughout compromised networks.
The script attempted SSH-based lateral movement by systematically testing a hardcoded collection of usernames and passwords against internal systems. It gathered target information directly from host configuration files and attempted to spread rapidly across available infrastructure.
As part of the process, attackers left a marker file named “README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT” within PeopleSoft directories.
Evidence also suggests that stolen information was compressed using zstd before being transferred through outbound SSH connections toward infrastructure linked to the public mirror of the ShinyHunters leak platform.
The automation observed in this operation indicates a highly organized campaign designed for scale rather than isolated attacks.
Universities Become the Primary Victims
Educational institutions emerged as the most heavily targeted sector during the campaign.
According to Mandiant, more than 100 organizations were notified after investigators identified vulnerable endpoints connected to active exploitation.
Approximately 68 percent of those organizations belonged to the higher education sector, with the majority located in the United States.
Universities represent attractive targets because they maintain enormous databases containing personal information, academic records, financial details, and research data. Many institutions also operate complex IT environments with limited cybersecurity budgets compared to large commercial enterprises.
This combination creates a valuable target profile for extortion-focused groups.
University of Nottingham Confirms Data Breach
One of the first publicly confirmed victims is the University of Nottingham.
Data breach monitoring services reported approximately 455,000 unique email addresses appearing within leaked datasets associated with the incident.
The exposed information reportedly includes names, addresses, telephone numbers, passport details, ethnicity-related records, disability information, and student-related data.
The university has acknowledged the breach, making it one of the earliest verified cases linked to the campaign.
The scale of the exposure demonstrates how a single vulnerable ERP platform can become a pathway to enormous amounts of sensitive information.
Oracle’s Emergency Mitigation Recommendations
Oracle has advised customers to immediately restrict exposure of the Environment Management Hub service.
For multi-server environments, organizations are encouraged to disable the service entirely. Single-server deployments may require removal of the PSEMHUB application component.
Where complete removal is not possible, administrators should block external access to critical endpoints including:
/PSEMHUB/
/PSEMHUB/hub
/PSIGW/HttpListeningConnector
Security experts emphasize that these restrictions do not interfere with normal user activity, making them practical emergency mitigation measures.
Organizations should also deploy official Oracle updates as soon as they become available through supported channels.
Indicators of Existing Compromise
Security teams are being urged to actively investigate PeopleSoft environments for evidence of prior intrusion.
Key warning signs include unusual POST requests targeting PSEMHUB endpoints, unexpected JSP files within web application directories, and newly created folders with suspicious names such as logs, persistantstorage, or scratchpad.
Investigators also recommend checking XML configuration files for unauthorized modifications that may enable persistence after system restarts.
Another critical indicator is outbound SMB traffic on port 445 originating from PeopleSoft servers and directed toward external destinations. Such activity may indicate attempts to capture NetNTLM authentication hashes during exploitation.
These indicators provide defenders with valuable opportunities to detect attacks before extortion demands arrive.
A Significant Evolution in ShinyHunters Operations
Historically, ShinyHunters has been associated with credential theft, social engineering, token abuse, cloud service compromise, and attacks against SaaS platforms.
Recent incidents involving Salesforce ecosystems, educational platforms, and identity systems demonstrated the group’s focus on harvesting large volumes of personal information.
However, exploiting a sophisticated server-side ERP vulnerability represents a notable escalation in capability.
Whether the group independently acquired the zero-day, purchased access from another actor, or partnered with technically advanced specialists remains unclear.
What is clear is that the operation demonstrates a level of technical sophistication beyond many previous campaigns attributed to the group.
What Undercode Say:
The most important takeaway from this incident is not the vulnerability itself but the operational shift it represents.
For years, cybercriminal groups have increasingly preferred identity attacks because they are cheaper, easier, and less risky than developing zero-day exploits.
Groups like ShinyHunters became successful through credential theft, phishing campaigns, token abuse, and exploitation of weak access controls.
This attack changes that narrative.
A successful ERP zero-day campaign requires significantly greater planning and technical expertise.
The attackers selected a target category rich in sensitive information.
Universities contain decades of student records.
They contain financial aid information.
They contain passport data.
They contain research projects.
They contain employee information.
They often operate decentralized IT environments.
This makes them ideal targets for extortion.
The exposed attacker infrastructure also tells an important story.
Sophisticated adversaries still make mistakes.
The accidental exposure of command histories and attack tools provided defenders with intelligence that would normally remain hidden.
The use of fake Azure-themed infrastructure demonstrates a growing trend among threat actors.
Cloud impersonation is becoming a preferred method of hiding malicious communications.
The fanout script reveals another key detail.
The attackers expected weak internal credentials.
They designed automation around password spraying and lateral movement.
This suggests they anticipated poor internal segmentation.
Organizations often focus heavily on perimeter defense while ignoring internal trust relationships.
Once attackers gain a foothold, movement becomes relatively easy.
Another notable observation is the timing.
The attacks occurred before Oracle publicly disclosed the issue.
This means defenders were operating blind.
Traditional patch management cannot protect against vulnerabilities that have not yet been announced.
This highlights the importance of exposure reduction strategies.
Services that do not require internet access should never be internet accessible.
Attack surface management is becoming just as important as vulnerability management.
The education sector should view this event as a warning.
Many universities still maintain legacy ERP deployments with complex architectures and limited security monitoring.
Threat actors understand this reality.
Future attacks will likely continue targeting educational institutions because the return on investment remains extremely attractive.
The larger cybersecurity community should also pay attention to the evolution of extortion groups.
Criminal organizations are becoming more technically capable.
The gap between ransomware operators and advanced exploitation specialists is shrinking.
This convergence creates a more dangerous threat landscape where data theft, extortion, credential abuse, and zero-day exploitation increasingly occur within the same operation.
Deep Analysis: Linux and Security Commands for Investigation
Security teams investigating potential compromise may utilize commands such as:
grep "PSEMHUB" access.log grep "HttpListeningConnector" access.log
find / -name ".jsp" 2>/dev/null
find / -type d ( -name logs -o -name scratchpad -o -name persistantstorage )
netstat -antp ss -tulpn
lsof -i :445
grep -R "XMLDecoder" /var/www/
find / -mtime -30
cat /etc/hosts
lastlog
journalctl -xe
tail -f access.log
tail -f security.log
zgrep POST .gz
tcpdump -i any port 445
iptables -L -n
ufw status verbose
ps aux
crontab -l
systemctl list-units --type=service
sha256sum suspicious_file.jsp
These commands can help administrators identify unusual activity, unauthorized files, suspicious network connections, and indicators associated with the reported attack chain.
✅ Oracle confirmed the existence of CVE-2026-35273 affecting PeopleSoft PeopleTools and issued mitigation guidance.
✅ Google’s Mandiant publicly reported active exploitation activity and linked the campaign to the UNC6240 threat cluster.
✅ The University of Nottingham confirmed a breach associated with leaked data, making at least one victim attribution independently verified.
❌ Claims that all organizations listed by ShinyHunters have been successfully compromised remain unverified.
❌ The full number of affected organizations is not publicly confirmed, and some victim claims may still be under investigation.
❌ It remains unclear whether ShinyHunters developed, purchased, borrowed, or partnered to obtain access to the zero-day exploit.
Prediction
(+1) More universities will publicly disclose compromises as forensic investigations continue and additional victims are identified.
(+1) Oracle customers will rapidly restrict internet exposure of PeopleSoft management components, reducing future exploitation opportunities.
(+1) Security vendors will release enhanced detection signatures focused on PSEMHUB abuse and related attacker infrastructure.
(-1) Additional victim data may appear on leak platforms before all affected organizations complete incident response activities.
(-1) Copycat threat actors may attempt to replicate the attack methodology against unpatched PeopleSoft environments.
(-1) Enterprise ERP platforms will become increasingly attractive targets for extortion groups seeking large, centralized datasets.
▶️ Related Video (72% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
