~/f4n6 $ grep -r "Council of Europe hacked in ShinyHunters' PeopleSoft heist" ./investigations/ --include="*.md"

Council of Europe hacked in ShinyHunters' PeopleSoft heist

Jeff Davies 16 Jun 2026 8 min read

1. Executive summary

The Council of Europe has confirmed it is investigating a breach in which the ShinyHunters extortion crew claims to have stolen more than 297 GB of data (429,000 files) including HR records, payslips, purchase orders, CVs, salary, banking, tax and medical records. The intrusion is part of a wider campaign exploiting CVE-2026-35273, a critical (CVSS 9.8) unauthenticated remote code execution flaw in the Oracle PeopleSoft Environment Management component (PSEMHUB), which is listed in CISA KEV (added 2026-06-12) and was actively exploited as a zero-day between 27 May and 9 June 2026. Mandiant/GTIG attribute the activity to UNC6240 and have notified more than 100 affected organisations globally, of which 68% are in higher education. Oracle released mitigations on 10 June 2026 and a subsequent patch; the Council of Europe incident is the latest in a series that also includes the University of Nottingham, Instructure (Canvas) and Infinite Campus. Bottom-line risk for EMEA financial services: any in-scope entity running PeopleSoft Enterprise PeopleTools — directly or via a third-party HR/payroll provider — must treat this as a P1 exposure until patched and forensically cleared.

2. Regulatory framing

Article Trigger (fact in this item) Practical impact
DORA Art. 17 Council of Europe breach and parallel compromises of 100+ orgs demonstrate an active ICT-related incident requiring a documented incident management process. Financial entities running PeopleSoft must activate their ICT incident management process now; capture timeline, scope, containment and eradication steps.
DORA Art. 18 Theft of HR, payroll, banking and medical records from a major institution requires formal classification of the ICT-related incident and cyber threat. Classify severity, document the cyber-threat picture (UNC6240/ShinyHunters, CVE-2026-35273) and tag for reporting triage.
DORA Art. 19 A major ICT-related incident (mass exfiltration of payroll/HR data) triggers competent-authority reporting. Prepare initial notification within statutory window; preserve evidence and root-cause analysis for follow-up reporting.
DORA Art. 28 Oracle PeopleSoft is a third-party ICT service provider; the zero-day sits in a vendor product. Re-evaluate third-party risk records for Oracle PeopleSoft; confirm contractual notification and audit rights.
DORA Art. 29 Oracle PeopleSoft is a widely deployed ICT concentration point across HR/payroll. Assess concentration risk; identify single points of failure and substitute providers where feasible.
DORA Art. 30 Vendor patch and mitigation handling must be reflected in contractual provisions. Verify Oracle contract supports timely patching, mitigation deployment and incident cooperation.
NIS2 Art. 21(2)(d) Supply-chain compromise via a vendor product (Oracle PeopleSoft) exploited in the wild. Apply supply-chain security measures: inventory, patch SLA, vendor security attestation, segmentation.
NIS2 Art. 23 Major incident with potential significant impact requires reporting to the competent authority/CSIRT. Trigger incident reporting workflow; align with DORA Art. 19 reporting where both apply.
UK NIS 2018 Council of Europe and UK higher-education victims indicate OES/RDSP exposure (e.g. universities, public-sector bodies). Confirm OES/RDSP status; ensure incident reporting to the UK NCSC under UK NIS 2018 duties.

3. Technical analysis & attack chain

  1. Initial access — exploitation of CVE-2026-35273 in PSEMHUB. Unauthenticated remote attacker sends crafted HTTP traffic to the PeopleSoft Environment Management component (PSEMHUB) and achieves remote code execution. The flaw is CWE-306 (Missing Authentication for Critical Function) and is rated CVSS 9.8 / CRITICAL; it is listed in CISA KEV (added 2026-06-12) with EPSS 1%.
  2. Staging infrastructure stood up (27 May 2026, 22:14 UTC). Attackers installed MeshCentral remote management server (version 1.1.59) on five sequential IPs — 142.11.200.186, 142.11.200.187, 142.11.200.188, 142.11.200.189, 142.11.200.190 — and ran Python SimpleHTTPServer on port 8888 to expose staging directories.
  3. Custom RAT deployment. Staged pre-configured Windows MeshCentral agent binaries masquerading as Microsoft Azure services: meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, meshagent64-v2.exe. A Linux meshagent binary was also staged and configured dynamically via command-line parameters. Agents are hardcoded to communicate with wss://azurenetfiles.net:443/agent.ashx (domain chosen to mimic legitimate Microsoft Azure NetApp Files endpoints).
  4. Lateral movement and data collection. A custom script [victim_abbreviation]_fanout.sh is used for lateral movement and defacement. Operators run administrative command queries against PeopleSoft HCM/HR modules to enumerate and exfiltrate HR, payroll, billing and student records.
  5. Data leak / extortion. Stolen data is published on the ShinyHunters Data Leak Site (DLS) on 9 June 2026 and subsequently. The Council of Europe incident reportedly involves 297 GB / 429,000 files including payslips, purchase orders, CVs, salary, banking, tax and medical records.
  6. Observed impact to date. Council of Europe (this advisory); University of Nottingham (~454,600 current/former students, 40 GB); Instructure Canvas (~275M students/teachers/staff); Infinite Campus (~137,000 individuals). Mandiant/GTIG notified 100+ organisations; 68% are in higher education.

Vulnerability mechanism. CVE-2026-35273 is an unauthenticated RCE in the Environment Management component (PSEMHUB) of PeopleSoft Enterprise PeopleTools, reachable over HTTP. Oracle released mitigations on 10 June 2026 and a subsequent patch; the vulnerability was exploited as a zero-day prior to the 10 June advisory.

Persistence & C2. MeshCentral agents provide persistent remote access. C2 is over WebSocket Secure to wss://azurenetfiles.net:443/agent.ashx. The masquerading tactic (Azure-themed filenames and domain) is intended to evade casual inspection.

Privilege escalation / lateral movement. The MeshCentral agent runs with administrative privileges on compromised hosts; [victim_abbreviation]_fanout.sh propagates access across the PeopleSoft estate and adjacent Windows/Linux infrastructure.

Data access / exfiltration. Direct read of PeopleSoft HCM/HR databases and file shares; bulk download via MeshCentral agent or staging server.

Unconfirmed / single-sourced claims. The attribution to "ShinyHunters" is unconfirmed: the actor has no MITRE ATT&CK profile in the verified reference data, so the UNC6240 / ShinyHunters label should be treated as unconfirmed until corroborated by independent reporting. Oracle has not publicly confirmed the patch status of CVE-2026-35273 at the time of writing.

4. Mitigation & containment

P1 — within 24 hours

  • Isolate any internet-exposed PeopleSoft Enterprise PeopleTools / PSEMHUB endpoints from the public internet at the network edge (firewall / WAF block on HTTP/HTTPS to PSEMHUB).
  • Apply Oracle's published mitigations for CVE-2026-35273 immediately if the patch is not yet deployable in your change window.
  • Hunt for the named MeshCentral agent binaries (meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, meshagent64-v2.exe) and the lateral-movement script pattern *_fanout.sh on every PeopleSoft host and adjacent Windows/Linux estate.
  • Block C2 destination azurenetfiles.net and the staging IP range 142.11.200.186–142.11.200.190 at the perimeter and in EDR DNS/IP rules.
  • Disable any MeshCentral agent processes and remove the MeshCentral server (version 1.1.59) if found on infrastructure.

P2 — within 72 hours

  • Patch Oracle PeopleSoft to the vendor fix for CVE-2026-35273; record version in the configuration management database.
  • Rotate all credentials, service accounts and integration/API keys with access to PeopleSoft HCM/HR and downstream payroll systems.
  • Review outbound traffic logs for connections to wss://azurenetfiles.net:443/agent.ashx and to port 8888 on the staging IP range.
  • Engage Oracle support to confirm patch level and request post-patch integrity attestation.

P3 — within 7 days

  • Re-assess third-party risk for Oracle PeopleSoft under DORA Art. 28–30; document concentration risk under DORA Art. 29.
  • Tabletop the incident under DORA Art. 24 testing programme; validate reporting workflow under DORA Art. 19 / NIS2 Art. 23.
  • Harden PeopleSoft: restrict PSEMHUB to trusted management networks, enforce MFA on administrative consoles, enable detailed HTTP access logging, and segment PeopleSoft application tiers from general corporate networks.

5. Indicators of compromise

Type Value Confidence Source
domain azurenetfiles.net High Mandiant/GTIG
url wss://azurenetfiles.net:443/agent.ashx High Mandiant/GTIG
ipv4 142.11.200.186 High Mandiant/GTIG
ipv4 142.11.200.187 High Mandiant/GTIG
ipv4 142.11.200.188 High Mandiant/GTIG
ipv4 142.11.200.189 High Mandiant/GTIG
ipv4 142.11.200.190 High Mandiant/GTIG
filename meshagent32-azure-ops.exe High Mandiant/GTIG
filename meshagent64-azure-ops.exe High Mandiant/GTIG
filename meshagent64-v2.exe High Mandiant/GTIG
filename_pattern *_fanout.sh High Mandiant/GTIG
tool MeshCentral server version 1.1.59 High Mandiant/GTIG
port 8888/tcp (Python SimpleHTTPServer staging) High Mandiant/GTIG 
domain  azurenetfiles.net
url     wss://azurenetfiles.net:443/agent.ashx
ipv4    142.11.200.186
ipv4    142.11.200.187
ipv4    142.11.200.188
ipv4    142.11.200.189
ipv4    142.11.200.190
filename  meshagent32-azure-ops.exe
filename  meshagent64-azure-ops.exe
filename  meshagent64-v2.exe
filename_pattern  *_fanout.sh
tool    MeshCentral 1.1.59
port    8888

6. Detection

rule AT_ShinyHunters_PeopleSoft_PSEMHUB_Toolkit
{
    meta:
        author = "Adverse Trace"
        date = "2026-06-15"
        description = "Detects artefacts associated with the ShinyHunters/UNC6240 PeopleSoft PSEMHUB campaign exploiting CVE-2026-35273"
        reference = "https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/"
    strings:
        $fn1 = "meshagent32-azure-ops.exe" ascii nocase
        $fn2 = "meshagent64-azure-ops.exe" ascii nocase
        $fn3 = "meshagent64-v2.exe" ascii nocase
        $fn4 = "meshagent" ascii nocase
        $dom = "azurenetfiles.net" ascii nocase wide
        $c2  = "agent.ashx" ascii nocase wide
        $fan = "_fanout.sh" ascii nocase
        $meshver = "MeshCentral" ascii nocase
    condition:
        3 of ($fn1,$fn2,$fn3,$fn4,$dom,$c2,$fan,$meshver)
}

title: PeopleSoft PSEMHUB MeshCentral Agent Deployment (CVE-2026-35273)
id: at-2026-06-15-103
status: experimental
description: >
  Detects staging or execution of MeshCentral agents named with Azure-themed
  suffixes, lateral-movement fanout scripts, or outbound C2 to azurenetfiles.net,
  consistent with exploitation of CVE-2026-35273 in Oracle PeopleSoft PSEMHUB.
author: Adverse Trace
date: 2026-06-15
references:

  - https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/
logsource:
  category: process_creation
  product: windows
detection:
  selection_image:
    Image|endswith:

      - '\meshagent32-azure-ops.exe'
      - '\meshagent64-azure-ops.exe'
      - '\meshagent64-v2.exe'
  selection_cmdline:
    CommandLine|contains:

      - 'meshagent'
      - '_fanout.sh'
  selection_network:
    CommandLine|contains:

      - 'azurenetfiles.net'
      - 'agent.ashx'
  condition: selection_image or selection_cmdline or selection_network
falsepositives:

  - Legitimate Azure NetApp Files management tooling (rare)
level: high
---
title: Outbound C2 to azurenetfiles.net on port 443
id: at-2026-06-15-103-c2
status: experimental
description: >
  Detects outbound WebSocket Secure connections to azurenetfiles.net, the C2 used
  by the ShinyHunters/UNC6240 MeshCentral agents deployed via CVE-2026-35273.
author: Adverse Trace
date: 2026-06-15
references:

  - https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/
logsource:
  category: firewall
detection:
  selection:
    dst_host: 'azurenetfiles.net'
    dst_port: 443
  condition: selection
falsepositives:

  - None expected; legitimate Microsoft Azure NetApp Files endpoints do not use this domain.
level: high

CVE assessment

1 referenced CVE — 1 actively exploited (CISA KEV), 1 critical (CVSS ≥ 9.0)

CVE CVSS Exploited EPSS Summary
CVE-2026-35273 9.8 Critical ⚠ KEV 2026-06-12 1% Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management)…

7. Sources

  • The Register — Council of Europe hacked in ShinyHunters' PeopleSoft heist — https://www.theregister.com/cyber-crime/2026/06/15/council-of-europe-hacked-in-shinyhunters-peoplesoft-heist/5255757 — 2026-06-15
  • The Register — ShinyHunters claims it hacked 100 orgs by exploiting an Oracle PeopleSoft 0-day — https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/5254443 — 2026-06-11
  • Mandiant/Google Cloud — ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit — https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/ — 2026-06
  • BleepingComputer — Oracle mitigates PeopleSoft zero-day exploited in data theft attacks — https://www.bleepingcomputer.com/news/security/oracle-mitigates-peoplesoft-zero-day-exploited-in-data-theft-attacks/ — 2026-06
  • BleepingComputer — Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks — https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/ — 2026-06
  • Cybersecurity Dive — ShinyHunters linked to exploitation of critical flaw in Oracle PeopleSoft — https://www.cybersecuritydive.com/news/shinyhunters-exploitation-critical-flaw-oracle-peoplesoft/822796/ — 2026-06
  • SecurityWeek — Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks — https://www.securityweek.com/oracle-addresses-peoplesoft-vulnerability-amid-reports-of-zero-day-attacks/ — 2026-06

8. Adverse Trace position

Severity: CRITICAL (CVSS 9.8; CISA KEV listed; active mass exploitation). CVE-2026-35273 is an unauthenticated RCE in a widely deployed enterprise HR/payroll platform, with confirmed mass exploitation across 100+ organisations and a live extortion pipeline (ShinyHunters DLS). Any EMEA financial-services entity running PeopleSoft Enterprise PeopleTools — directly or via a third-party HR/payroll outsourcer — must treat this as a P1 exposure: apply Oracle's mitigations within 24 hours, deploy the patch as soon as change windows allow, hunt for the named MeshCentral artefacts and the *_fanout.sh script, block azurenetfiles.net and the staging IP range, and reassess third-party / concentration risk under DORA Art. 28–30. Attribution to "ShinyHunters" / UNC6240 remains unconfirmed in the verified reference data and should be treated as such. Next steps from Adverse Trace: we will continue to monitor for Oracle patch confirmation, additional victim disclosures, and any C2 infrastructure rotation; a follow-up advisory will be issued if new IOCs, lateral-movement tooling or DORA/NIS2 reporting triggers emerge.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies