The data extortion group ShinyHunters quietly exploited a zero-day flaw in Oracle PeopleSoft to target more than 100 organizations, the majority of them universities and colleges, and has begun leaking the stolen data, according to Mandiant and Google Threat Intelligence Group (GTIG).
The campaign, tracked by GTIG as UNC6240, ran from May 27 to June 9, 2026 and abused CVE-2026-35273, a critical (severity 9.8) remote code execution bug in the Environment Management component of PeopleSoft. Because the activity began before Oracle's June 10 advisory, the attackers were exploiting it as a zero-day, meaning no patch existed while the intrusions were underway.
Who was hit
GTIG said it notified more than 100 organizations whose internet facing endpoints looked vulnerable. Most were based in the United States, and 68 percent were in the higher education sector. Some recipients blocked or remediated the activity in time. Others were compromised, and their data has since appeared on the ShinyHunters data leak site, where the group pressures victims into paying.
How the attack worked
The break came when researcher @nahamike01 flagged open directories the attackers had left exposed on five sequential staging servers. Inside, GTIG found pre-built MeshCentral remote management agents disguised as Microsoft Azure tooling, with filenames like meshagent64-azure-ops.exe, that beaconed to a command and control server at wss://azurenetfiles[.]net:443/agent.ashx. The domain azurenetfiles[.]net was registered to mimic legitimate Azure NetApp Files endpoints. Command histories left on the servers showed the attackers mapping PeopleSoft and WebLogic configuration files and running a custom defacement and lateral movement script. The full GTIG analysis is available in the original report.
What you should do
Organizations running Oracle PeopleSoft should apply Oracle's June 10 advisory updates immediately and treat any unpatched, internet exposed Environment Management Hub (PSEMHUB) endpoint as a likely target. Defenders should hunt for unexpected MeshCentral agents and the indicators below, and review PeopleSoft and WebLogic systems for unauthorized access dating back to late May.
Indicators of compromise
- Command and control domain: azurenetfiles[.]net
- Staging servers: 142[.]11[.]200[.]186 through 142[.]11[.]200[.]190
- Outbound SSH destination: 176[.]120[.]22[.]24
- MeshCentral agent meshagent64-azure-ops.exe (SHA-256): f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.