~/f4n6 $ grep -r "ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit" ./investigations/ --include="*.md"

ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit

Jeff Davies 11 Jun 2026 7 min read

1. Executive summary

Threat actor UNC6240 (attributed publicly to "ShinyHunters") is actively exploiting CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in Oracle PeopleSoft Environment Management Hub (PSEMHUB), to compromise enterprise HR and student data systems. The campaign, observed between May 27 and June 9, 2026, utilizes zero-day exploitation to deploy customized MeshCentral agents for lateral movement and data exfiltration, with 68% of targeted organizations located in the higher education sector. While the actor attribution lacks a formal MITRE ATT&CK profile and remains unconfirmed by standard taxonomy, the technical indicators confirm a sophisticated supply-chain style attack leveraging administrative endpoints. EMEA financial services institutions running Oracle PeopleSoft face immediate risk of unauthenticated remote compromise and data theft, necessitating urgent network segmentation of PSEMHUB endpoints and application of Oracle mitigations.

2. Regulatory framing

Article Trigger (the fact in this item) Practical impact
DORA Art. 17 Active exploitation of CVE-2026-35273 resulting in unauthorized access and data theft. Financial entities must activate their ICT-related incident management process to contain the threat and assess impact on critical functions.
DORA Art. 18 Exploitation of a CVSS 9.8 vulnerability leading to data exfiltration and potential service disruption. Entities must classify the incident based on criteria including the number of users affected and the criticality of the service (PeopleSoft HR/Payroll).
DORA Art. 19 Confirmation of major data theft (e.g., 40GB stolen from a single university) and potential systemic risk if widely exploited. If classified as a "major" ICT-related incident, immediate reporting to the competent authority is required within strict timelines.
DORA Art. 24 Discovery of a zero-day vulnerability in core infrastructure (Oracle PeopleSoft). Entities must ensure their digital operational resilience testing programs cover such critical third-party components and exploit scenarios.
DORA Art. 28 Compromise of Oracle PeopleSoft, a critical ICT third-party provider service. Entities must apply general principles of ICT third-party risk management to monitor and respond to vulnerabilities in this key provider.
NIS2 Art. 21(2)(d) Exploitation of vulnerabilities in the supply chain (Oracle PeopleSoft) affecting essential services. Essential and important entities must implement measures to manage supply chain security risks associated with Oracle software.
NIS2 Art. 23 Successful data theft and system compromise requiring notification. Entities must notify the relevant CSIRT or competent authority of significant incidents without undue delay.
UK NIS 2018 Impact on Operators of Essential Services (OES) or Relevant Digital Service Providers (RDSP) using PeopleSoft. OES/RDSP duties require taking appropriate and proportionate measures to manage risks and notify the ICO/NCSC of significant incidents.

Note: DORA Art. 29 and Art. 30 are not directly engaged by the specific technical facts of this single incident item, though they remain relevant for broader contractual and concentration risk assessments.

3. Technical analysis & attack chain

Attack Chain

  1. Initial Access: Threat actors scan for exposed Oracle PeopleSoft Environment Management Hub (PSEMHUB) endpoints, specifically targeting /PSEMHUB/hub and /PSIGW/HttpListeningConnector. They exploit CVE-2026-35273 (CVSS 9.8, CWE-306: Missing Authentication for Critical Function) to achieve unauthenticated remote code execution (RCE).
  2. Staging & C2 Establishment: Actors deploy a Python SimpleHTTP server on port 8888 on compromised staging hosts (e.g., 142.11.200.186). They install MeshCentral (v1.1.59) and configure custom agents (meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, meshagent64-v2.exe) hardcoded to connect to wss://azurenetfiles.net:443/agent.ashx.
  3. Reconnaissance: Using the MeshCentral CLI utility meshctrl.js, actors execute commands to map the environment. This includes reading /u01/app/psoft/ps_config_homes/csprd/appserv/prcs/psappsrv.cfg to extract hostnames/IPs and inspecting WebLogic config.xml files.
  4. Lateral Movement: Actors write a custom bash script ([victim_abbreviation]_fanout.sh) to /tmp. This script parses /etc/hosts for internal PeopleSoft nodes and performs SSH credential spraying using hardcoded username/password lists.
  5. Defacement & Extortion: Upon successful SSH access, the script drops a marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories (e.g., <BASE>/webserv/CSPRD).
  6. Exfiltration: Data is compressed using zstd and exfiltrated. Stolen data is published on the ShinyHunters Data Leak Site (DLS), mirrored at IP 176.120.22.24.

Technical Specifics

  • Vulnerability: CVE-2026-35273 affects the Environment Management component. It allows unauthenticated HTTP POST requests to execute code.
  • Components: Oracle PeopleSoft Enterprise PeopleTools, Environment Management Hub (PSEMHUB), WebLogic Server.
  • Protocols: HTTP/HTTPS (Initial exploit), WSS (C2 communication), SSH (Lateral movement), SMB (Potential outbound port 445 monitoring recommended).
  • File Paths:
    • Config: /u01/app/psoft/ps_config_homes/csprd/appserv/prcs/psappsrv.cfg
    • WebLogic Config: config.xml
    • Malicious Script: /tmp/[victim_abbreviation]_fanout.sh
    • Marker File: README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
    • Webshell Location: <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/ (look for unexpected .jsp files).
    • Persistence Check: <docroot>/envmetadata/data/environment/ (check for malicious .xml files leveraging XMLDecoder).
  • Tools: MeshCentral (v1.1.59), meshctrl.js, acme-client (npm), zstd, sshpass.

Attribution Note: While public reporting attributes this activity to "ShinyHunters" and links it to UNC6240, there is no official MITRE ATT&CK profile for either "ShinyHunters" or "UNC6240" in the verified reference data. Therefore, this attribution is treated as unconfirmed within this advisory, though the TTPs are consistent with known extortion groups.

4. Mitigation & containment

Priority 1 (Within 24h): Containment & Access Restriction

  • Network Blocking: Immediately block external network access to /PSEMHUB/* (specifically /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter firewall. Do not rely solely on WAF body-inspection rules.
  • Endpoint Isolation: Isolate any PeopleSoft servers showing signs of compromise (presence of meshagent*.exe, unexpected .jsp files in PSEMHUB.war, or README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT).
  • Log Analysis: Audit PIA WebLogic access logs for HTTP POST requests to the blocked endpoints from external IPs. Monitor outbound traffic for connections to azurenetfiles.net and IP 176.120.22.24.

Priority 2 (Within 72h): Remediation & Patching

  • Apply Vendor Patch: Apply the Oracle Critical Patch Update or specific security alert addressing CVE-2026-35273 immediately upon availability. (Note: Oracle has released mitigations; verify patch status with vendor).
  • Filesystem Audit: Scan <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/ for unauthorized .jsp files. Check /tmp for *_fanout.sh scripts.
  • Credential Reset: Force reset passwords for administrative and service accounts used in PeopleSoft and underlying OS, especially those found in the hardcoded lists within the fanout script.

Priority 3 (Within 7 days): Hardening & Validation

  • Configuration Review: Inspect <docroot>/envmetadata/data/environment/ for malicious XML files that could trigger XMLDecoder RCE on restart.
  • Monitoring Enhancement: Deploy detection rules for outbound SMB (Port 445) from PeopleSoft hosts and outbound WSS connections to non-standard domains.
  • Third-Party Review: Re-evaluate ICT third-party risk principles (DORA Art. 28) regarding Oracle PeopleSoft dependency and concentration risk.

5. Indicators of compromise

Type Value Confidence Source
IPv4 142.11.200.186 High Google Cloud Blog
IPv4 142.11.200.187 High Google Cloud Blog
IPv4 142.11.200.188 High Google Cloud Blog
IPv4 142.11.200.189 High Google Cloud Blog
IPv4 142.11.200.190 High Google Cloud Blog
IPv4 176.120.22.24 High Google Cloud Blog (DLS Mirror)
Domain azurenetfiles.net High Google Cloud Blog (C2)
URL wss://azurenetfiles.net:443/agent.ashx High Google Cloud Blog (C2 Endpoint)
Filename meshagent32-azure-ops.exe High Google Cloud Blog
Filename meshagent64-azure-ops.exe High Google Cloud Blog
Filename meshagent64-v2.exe High Google Cloud Blog
Filename [victim_abbreviation]_fanout.sh High Google Cloud Blog
Filename README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT High Google Cloud Blog
File Path /tmp/[victim_abbreviation]_fanout.sh High Google Cloud Blog
Command meshctrl.js High Google Cloud Blog
Port 8888 (TCP) Medium Google Cloud Blog (Staging Server) 
ipv4  142.11.200.186
ipv4  142.11.200.187
ipv4  142.11.200.188
ipv4  142.11.200.189
ipv4  142.11.200.190
ipv4  176.120.22.24
domain  azurenetfiles.net
url  wss://azurenetfiles.net:443/agent.ashx
filename  meshagent32-azure-ops.exe
filename  meshagent64-azure-ops.exe
filename  meshagent64-v2.exe
filename  README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
file-path  /tmp/*_fanout.sh

6. Detection

rule ShinyHunters_PeopleSoft_MeshCentral_Agent {
    meta:
        author = "Adverse Trace"
        date = "2026-06-11"
        reference = "https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/"
        description = "Detects customized MeshCentral agents and scripts associated with the ShinyHunters Oracle PeopleSoft campaign."
    strings:
        $c2_domain = "azurenetfiles.net" ascii wide
        $c2_path = "/agent.ashx" ascii wide
        $agent_name_32 = "meshagent32-azure-ops.exe" ascii wide
        $agent_name_64 = "meshagent64-azure-ops.exe" ascii wide
        $meshctrl = "meshctrl.js" ascii wide
        $defacement_file = "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" ascii wide
        $fanout_script = "_fanout.sh" ascii wide
        $ps_config = "psappsrv.cfg" ascii wide
    condition:
        any of them
}

title: Detection of Oracle PeopleSoft PSEMHUB Exploitation Attempt
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects HTTP POST requests to vulnerable Oracle PeopleSoft PSEMHUB endpoints associated with CVE-2026-35273 exploitation.
author: Adverse Trace
date: 2026/06/11
references:

    - https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/
logsource:
    category: webserver
    product: oracle_weblogic
    definition: 'Access logs from Oracle PeopleSoft Internet Architecture (PIA) / WebLogic'
detection:
    selection:
        c-requestmethod: 'POST'
        c-uri|contains:

            - '/PSEMHUB/hub'
            - '/PSIGW/HttpListeningConnector'
    filter_src_external:
        src.ip|startswith:

            - '10.' # Internal ranges should be excluded if monitoring internal traffic only, adjust for perimeter
            - '192.168.'
            - '172.16.'
            - '172.31.'
        # Note: For perimeter logs, simply alert on all matches. For internal, filter out trusted admin subnets.
    condition: selection and not filter_src_internal_trusted # Logic implies alerting on external or untrusted sources
falsepositives:

    - Legitimate administrative traffic from untrusted networks (should be blocked by firewall).
level: critical
tags:

    - attack.initial_access
    - attack.t1190
    - cve.2026-35273

CVE assessment

1 referenced CVE — 1 critical (CVSS ≥ 9.0)

CVE CVSS Exploited EPSS Summary
CVE-2026-35273 9.8 Critical 0% Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management)…

7. Sources

  • Google Cloud Blog, "ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit", https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/, 2026-06-11.
  • The Register Security, "ShinyHunters claims it hacked 100 orgs by exploiting an Oracle PeopleSoft 0-day", https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/5254443, 2026-06-11.
  • BleepingComputer, "Oracle mitigates PeopleSoft zero-day exploited in data theft attacks", https://www.bleepingcomputer.com/news/security/oracle-mitigates-peoplesoft-zero-day-exploited-in-data-theft-attacks/, 2026-06-11.
  • SecurityWeek, "Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks", https://www.securityweek.com/oracle-addresses-peoplesoft-vulnerability-amid-reports-of-zero-day-attacks/, 2026-06-11.

8. Adverse Trace position

Adverse Trace assesses the severity of this item as CRITICAL due to the CVSS 9.8 rating of CVE-2026-35273, the confirmed active exploitation in the wild, and the direct impact on data confidentiality and integrity. The vulnerability allows unauthenticated remote code execution, posing an existential threat to any EMEA financial service running unpatched Oracle PeopleSoft instances. While attribution to "ShinyHunters" is widely reported, the lack of a formal MITRE profile necessitates treating the actor identity as unconfirmed; however, the TTPs indicate a highly capable extortion group. We recommend clients immediately restrict access to PSEMHUB endpoints at the network perimeter, audit for the specific IOCs provided, and prioritize the application of Oracle's forthcoming patches. Regulatory obligations under DORA Articles 17, 18, and 19 are likely engaged for any entity confirming a breach.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies