By the Numbers: The ShinyHunters Education Campaign
100+ organizations notified by Google’s Mandiant team as having potentially vulnerable PeopleSoft endpoints exposed to the internet (Google Threat Intelligence Group, June 2026).
68% of targets were higher education institutions, primarily in the United States (Mandiant / Google Cloud Blog, June 2026).
14-day zero-day window: ShinyHunters began exploitation on May 27, 2026. Oracle did not publish its advisory until June 10, 2026 (Rapid7 / Mandiant timeline).
~500,000 student and alumni records confirmed compromised at the University of Nottingham alone — including names, addresses, phone numbers, passport numbers, and ethnicity/disability data (The Register / Pathlock, June 2026).
CVSS 9.8 — the vulnerability requires no login, no user interaction, and only network access over HTTP (Oracle Advisory, CVE-2026-35273).
What Happened
Between May 27 and June 9, 2026, the threat actor group ShinyHunters — tracked by Google’s Mandiant as UNC6240 — executed a coordinated data-theft campaign against organizations running Oracle PeopleSoft. The attack exploited CVE-2026-35273, a critical remote code execution vulnerability in PeopleSoft Enterprise PeopleTools’ Environment Management component (PSEMHUB). With a CVSS score of 9.8, the flaw required only network access over HTTP to achieve full system takeover. No credentials. No user interaction. No social engineering.
For fourteen days, the vulnerability was a true zero-day. Oracle did not publish its advisory until June 10 — a full day after ShinyHunters had already begun publishing stolen data on its leak site. During that window, there was no patch, no advisory, and no public indicator that anything was wrong. Administrators running PeopleSoft 8.61 or 8.62 with internet-accessible management hubs had no signal to act on.
Google’s Mandiant team ultimately notified more than 100 organizations whose IP addresses correlated with potentially vulnerable endpoints. Sixty-eight percent of them were in higher education.
How the Attack Worked
The technical execution was methodical. ShinyHunters targeted PeopleSoft’s Environment Management Hub endpoints — components designed for server provisioning and updates that many organizations leave exposed to the internet.
Attack Chain: CVE-2026-35273 Exploitation
Step 1 — Initial access: The attackers sent crafted HTTP requests to vulnerable PSEMHUB endpoints, exploiting CVE-2026-35273 to achieve remote code execution on the PeopleSoft server. No authentication was required.
Step 2 — Tooling deployment: Once inside, they staged infrastructure on exposed servers running Python’s SimpleHTTP on port 8888. The staging servers hosted custom MeshCentral remote-management agents disguised as Microsoft Azure binaries (hosted at azurenetfiles.net) to maintain persistent access.
Step 3 — Lateral movement: A custom script named [victim]_fanout.sh sprayed hardcoded SSH credentials against internal hosts, moving laterally across the network to reach additional systems and data stores.
Step 4 — Data exfiltration: The attackers harvested HR records, student data, payroll information, financial records, and identity documents from PeopleSoft’s databases covering human resources, student administration, and campus solutions modules.
Step 5 — Extortion: ShinyHunters published stolen data on its leak site and began contacting victims directly. A file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT was deposited in PeopleSoft directories as a calling card.
The Victims
The first publicly confirmed victim was the University of Nottingham. On June 11, 2026, ShinyHunters published more than 40 GB of stolen data covering nearly 500,000 current and former students across the university’s campuses in the UK, Malaysia, and China. The data included billing and payment records, credit card details, student finance data, campus solutions records, names, addresses, phone numbers, passport numbers, and ethnicity and disability information.
The university confirmed the breach the following day, but ShinyHunters says victim outreach has only just started. Most of the organizations it claims to have compromised have not yet been named publicly. Mandiant has confirmed the campaign is still active as of mid-June 2026.
Part of a Pattern
This was not ShinyHunters’ first attack on the education sector. In the months before the PeopleSoft campaign, the group executed a separate operation against Instructure, the company behind the Canvas Learning Management System used by thousands of schools. That attack exploited Canvas’s Free-For-Teacher account program — a freemium tier that shared production infrastructure with paid institutional tenants but applied weak identity verification.
ShinyHunters claimed to have stolen roughly 275 million records tied to students, teachers, and staff across more than 8,800 school districts, universities, and online education platforms. The group escalated by defacing Canvas login portals for hundreds of institutions with on-screen ransom messages. Instructure ultimately reached an “agreement” with the attackers in May 2026.
The PeopleSoft campaign, then, was a deliberate pivot — from SaaS platforms to on-premise enterprise systems — continuing ShinyHunters’ systematic focus on education-sector data.
Why This Matters Beyond Education
Oracle PeopleSoft is not limited to universities. It is deployed across state and local government agencies, healthcare systems, financial institutions, and large enterprises for HR, payroll, benefits administration, and financial management. The vulnerability — CVE-2026-35273 — affects any organization running PeopleTools 8.61 or 8.62 with an internet-exposed Environment Management Hub.
Three aspects of this campaign carry lessons for every organization, regardless of industry:
First, zero-days erase the patching window entirely. The standard security advice — “apply patches promptly” — assumes a patch exists. For fourteen days, none did. Organizations that depended solely on patching as their primary defense had no control that could detect or stop the attack. This is the scenario that supply chain attacks and zero-day exploits create: the gap between compromise and patch where only detection and response matter.
Second, enterprise software is a high-value target that often lacks monitoring. PeopleSoft manages some of the most sensitive data in any organization — Social Security numbers, payroll records, tax information, medical benefits, student identity documents. Yet many organizations treat it as a “business application” that sits outside the security team’s monitoring scope. No EDR agent on the application server. No log analysis of PSEMHUB access. No anomaly detection on database queries. ShinyHunters exploited this blind spot.
Third, the extortion model has evolved. ShinyHunters does not deploy ransomware. It does not encrypt files. It steals data and demands payment to keep it private — pure data-theft extortion. This means there is no “system down” alert, no encrypted file extension, no ransom note on a desktop background. The first sign of compromise may be a message from the attacker themselves, or a Mandiant notification, or a post on a leak site. Without active monitoring, the breach can go undetected for weeks.
Indicators of Compromise
Google’s Mandiant and Rapid7 have published technical indicators. Organizations running PeopleSoft should check for the following immediately:
What to Look For
WebLogic access logs: External POST requests to PSEMHUB endpoints that should only receive internal traffic.
Unexpected .jsp files under the PSEMHUB.war directory — web shells deposited by the exploit chain.
New or unusual directories named logs, persistantstorage, or scratchpad in locations where they should not exist.
Recently modified .xml files under envmetadata/data/environment — a sign of post-exploitation configuration tampering.
Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations. The exploit chain may use this to capture machine-account NetNTLM hashes.
Staging servers: Any process running Python SimpleHTTP on port 8888, or connections to azurenetfiles.net.
Lateral-movement scripts: Files matching the pattern *_fanout.sh containing SSH credential-spraying logic.
What to Do Right Now
Immediate Actions
1. Disable the Environment Management Hub. On multi-server PeopleSoft deployments, disable PSEMHUB entirely. On single-server deployments, remove the PSEMHUB application. This eliminates the attack surface for CVE-2026-35273.
2. Block external access to vulnerable endpoints. At the perimeter firewall or reverse proxy, block all external traffic to /PSEMHUB/* and /PSIGW/HttpListeningConnector. Note: WAF body-inspection rules alone are insufficient — the exploit does not rely on payload patterns that WAFs typically catch.
3. Apply Oracle’s out-of-band patch. Oracle released an update for PeopleTools. Check My Oracle Support for the specific fix applicable to your version and apply it immediately.
4. Hunt for indicators of compromise. Review WebLogic access logs, file system changes, and network traffic against the IOCs listed above. If you find evidence of exploitation, treat it as a confirmed breach and engage incident response.
5. Audit all PeopleSoft data access. If your environment was exposed, assume data may have been accessed. Review database audit logs for unusual queries against HR, payroll, student, and financial tables. Identify what records were accessed and prepare for notification obligations.
The Bigger Problem: Detection Gaps in Enterprise Applications
The ShinyHunters campaign exposes a structural weakness in how most organizations approach security. Endpoint detection and response (EDR) covers laptops and servers. Email security covers inboxes. Identity monitoring covers login events. But enterprise applications like PeopleSoft, SAP, Workday, and Banner often sit in a monitoring blind spot — connected to the internet, holding the most sensitive data in the organization, but generating logs that nobody watches.
This is exactly the scenario where MDR provides the most value. A 24/7 detection and response operation watches for the behavioral signals that indicate compromise regardless of the attack vector:
- Anomalous network traffic from application servers — outbound connections to unknown infrastructure, unexpected port usage, data exfiltration patterns.
- File system changes in application directories — new web shells, modified configuration files, dropped scripts.
- Lateral movement indicators — SSH brute-force from an application server, credential spraying against internal hosts, unexpected privilege escalation.
- Data-access anomalies — bulk database queries, exports of sensitive tables, access patterns that deviate from normal application behavior.
These are the detections that catch a zero-day exploitation in progress — not by knowing the CVE, but by recognizing that an application server is suddenly connecting to an external IP, running shell scripts, and spraying SSH credentials across the internal network. That behavior is wrong regardless of how the attacker got in.
The Bottom Line
ShinyHunters didn’t need sophisticated malware, AI-generated phishing, or an insider. They needed one unpatched endpoint and fourteen days of silence. The organizations that detected this campaign early were the ones that monitored their application servers the same way they monitor their endpoints — with 24/7 detection that catches attacker behavior, not just known signatures. For everyone else, the first sign of compromise was a message from the hackers.
Your enterprise apps deserve the same monitoring as your endpoints.
Our MDR service provides 24/7 detection and response across your entire environment — endpoints, cloud, identity, and the enterprise applications that attackers increasingly target. We catch the lateral movement, anomalous access, and data exfiltration that zero-day exploitation produces.
Book a Free Consultation