ShinyHunters Breaches 100 Organizations Using Oracle PeopleSoft Zero-Day

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
ShinyHunters compromised more than 100 organizations in a single coordinated campaign last month, exploiting a CVSS 9.8 unauthenticated remote code execution zero-day in Oracle PeopleSoft before Oracle even knew the flaw existed.
The ShinyHunters Oracle PeopleSoft exploit, tracked as CVE-2026-35273, targets the Environment Management Hub component in PeopleTools 8.61 and 8.62. The group operated without detection from May 27 through June 9, 2026, while Oracle remained unaware. When Oracle released its emergency out-of-band advisory on June 10, Google-owned incident response firm Mandiant (which tracks the group as UNC6240) had already begun notifying more than 100 victim organizations. Sixty-eight percent of those organizations were confirmed as colleges and universities.
The exploitation required no credentials and no user interaction. Attackers sent HTTP POST requests to two PeopleSoft endpoints, executed arbitrary code within WebLogic, then deployed MeshCentral remote access agents branded as Microsoft Azure services. A custom SSH credential-spraying script automated lateral movement across internal networks before zstd-compressed data archives were uploaded to attacker-controlled staging infrastructure.
This PeopleSoft campaign is not an isolated incident. ShinyHunters breached Charter Communications in April 2026 via voice phishing, claiming 40 million stolen customer records. Earlier in 2026, the group targeted Instructure Canvas, the learning management system used by over 9,000 educational institutions globally. The FBI's Internet Crime Complaint Center issued PSA260515 in May 2026 warning specifically of ShinyHunters targeting learning management systems. Today's profile covers the group's full origin, TTPs mapped to MITRE ATT&CK, confirmed infrastructure IOCs, and the detection steps every security team running PeopleSoft needs to execute today.
How Does the ShinyHunters Oracle PeopleSoft Exploit Work?
CVE-2026-35273 is an unauthenticated remote code execution vulnerability in Oracle PeopleSoft PeopleTools 8.61 and 8.62, specifically in the Updates Environment Management Hub component. An attacker with network access can execute arbitrary code over HTTP without credentials or user interaction, making the flaw trivially weaponizable at internet scale.
ShinyHunters exploited CVE-2026-35273 as a zero-day from May 27 to June 9, 2026, a full two weeks before Oracle disclosed it in an emergency out-of-band advisory. Researchers from Arctic Wolf and Google Mandiant confirmed the group combined CVE-2026-35273 with older PeopleSoft vulnerabilities in a gadget chain, sending crafted HTTP POST requests to two endpoints: /PSEMHUB/hub and /PSIGW/HttpListeningConnector. These requests triggered arbitrary code execution within PeopleSoft's WebLogic application server.
After gaining initial access, ShinyHunters established persistence by deploying customized MeshCentral v1.1.59 remote access agents. These agents were digitally signed and named to impersonate Microsoft Azure services, with filenames like meshagent64-azure-ops.exe. All command and control traffic used WebSocket Secure connections to azurenetfiles.net, a domain registered to impersonate Microsoft's Azure NetApp Files service on port 443, a protocol most enterprise firewalls allow without deep packet inspection.
The EM Hub component is exposed by default in many PeopleSoft deployments and rarely protected with additional authentication layers, which explains how the campaign breached more than 100 organizations in under two weeks. If your organization runs PeopleSoft PeopleTools 8.61 or 8.62 and has not applied the June 10 emergency patch, treat your environment as potentially compromised and run the detection steps in this article. The full technical vulnerability analysis is in our CVE-2026-35273 zero-day analysis.
ShinyHunters Origin and Group Attribution
ShinyHunters is a financially motivated cybercriminal group that emerged in 2020, taking its name from Pokémon terminology where players seek rare color variants of creatures. Google Mandiant describes the group as multiple threat clusters operating under a unified brand, tracking the cluster responsible for the PeopleSoft campaign as UNC6240. The group sits within the broader The Com criminal ecosystem alongside affiliates including Scattered Spider and Lapsus$.
The group operates as a decentralized network rather than a fixed hierarchy, which makes it resilient to law enforcement actions. Leadership communicates through a persona known as ShinyCorp, also tracked as sp1d3rhunters or shinyc0rp across Telegram channels. This structure lowers barriers to entry and enables rapid recruitment of technically skilled individuals with financial incentives, including one November 2025 administrator identified as a 15-year-old from Jordan.
Law enforcement has recorded several prosecutions. French national Sebastien Raoult was arrested in Morocco in May 2022 and sentenced in January 2024 to three years in US federal prison plus $5 million in restitution. Matthew D. Lane, a 19-year-old Massachusetts student, pleaded guilty in June 2025 to extortion charges connected to the PowerSchool breach involving a $2.85 million Bitcoin ransom demand. French authorities arrested four additional suspected members in a June 2025 coordinated operation.
Despite multiple prosecutions, ShinyHunters has not slowed. The group escalated its 2026 operational tempo with the PeopleSoft zero-day campaign, demonstrating that decentralized criminal networks can absorb law enforcement attrition and continue operating when leadership remains outside extradition reach.
“ShinyHunters identifies a widely deployed enterprise platform, develops automation against a critical vulnerability, and scales to hundreds of organizations before most of them know they have been targeted.”
Google Cloud Threat Intelligence, June 2026
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
ShinyHunters TTPs Mapped to MITRE ATT&CK
ShinyHunters follows a structured multi-stage playbook that maps consistently to MITRE ATT&CK, making the group's behavior detectable at each phase if defenders know what to look for.
Initial Access (T1190): The group exploits internet-exposed enterprise platforms with unauthenticated attack surfaces. In the PeopleSoft campaign, CVE-2026-35273 provided unauthenticated RCE against any reachable EM Hub endpoint. In the Charter Communications breach, ShinyHunters used voice phishing (T1566.004) to steal an employee's Microsoft Entra SSO credentials before exporting data from Salesforce.
Execution and Persistence (T1059.004 / T1021.004): After initial access, attackers executed Bash shell scripts to enumerate the PeopleSoft environment, parse internal hostnames from /etc/hosts, and map connected application and batch server nodes. MeshCentral agents established persistent remote access.
Defense Evasion (T1036.005): MeshCentral agents were compiled and signed with names mimicking legitimate Azure services. The C2 domain azurenetfiles.net impersonates Microsoft Azure NetApp Files. The group uses the npm package authenticode-sign to add code signing certificates to Windows binaries, causing many endpoint security tools to treat the agents as trusted software.
Lateral Movement (T1570): A script named [victim-abbreviation]_fanout.sh automated SSH credential spraying across internal hosts by iterating over parsed hostnames and attempting authentication with a hardcoded list of common administrative usernames and passwords. Upon successful authentication, the script propagated the defacement marker to WebLogic and Process Scheduler directories.
Exfiltration (T1002 / T1030): Stolen data was archived using zstd compression before SSH upload to the staging IP 176.120.22.24, which served as the data leak site mirror.
Exploit CVE-2026-35273 (T1190)
HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector trigger unauthenticated RCE within PeopleSoft WebLogic without credentials or user interaction.
Deploy MeshCentral C2 Agent (T1036.005)
Customized MeshCentral v1.1.59 agents signed as Azure services establish WSS command and control to azurenetfiles.net:443, blending with legitimate enterprise cloud traffic.
SSH Credential Spray Internally (T1570)
fanout.sh parses /etc/hosts for internal hostnames and sprays hardcoded credentials via sshpass, propagating access and the extortion marker across the application tier.
Compress and Exfiltrate Data (T1002)
Stolen data is archived with zstd -3 -T0 and uploaded via SSH to 176.120.22.24, the data leak site mirror, before ransom demands are issued.
ShinyHunters Infrastructure and Indicators of Compromise
ShinyHunters staging infrastructure for the PeopleSoft campaign centers on a MeshCentral server operating under the domain azurenetfiles.net. The group registered this domain to impersonate Microsoft Azure NetApp Files and used it exclusively for WebSocket Secure command and control on port 443, a port allowed outbound by nearly all enterprise firewalls without inspection.
Google Mandiant identified the contiguous IP range 142.11.200.186 through 142.11.200.190 as ShinyHunters staging infrastructure used to host the MeshCentral management server and coordinate agent callbacks. A separate IP, 176.120.22.24, served as the data leak site mirror to which exfiltrated archives were uploaded via SSH after compression.
Four MeshCentral agent binaries were attributed to this campaign with SHA-256 hashes confirmed by Mandiant. They appear in two flavors: meshagent64-azure-ops.exe and meshagent64-v2.exe for Windows x64, meshagent32-azure-ops.exe for 32-bit Windows systems, and a Linux meshagent binary for Unix-based PeopleSoft application servers.
The filesystem artifact README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT appears in WebLogic and Process Scheduler directories on compromised systems as both a defacement marker and extortion notification. Its presence in any PeopleSoft directory is a definitive indicator of compromise.
Block all outbound connections to azurenetfiles.net and the 142.11.200.186/29 subnet immediately. Audit authentication logs for SSH sessions to 176.120.22.24, which indicate data exfiltration has already occurred.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Notable ShinyHunters Campaigns: A 2026 Breach Timeline
ShinyHunters has built a documented record of targeting enterprise platforms at scale, with 2026 campaigns demonstrating a clear escalation in technical sophistication alongside continued reliance on social engineering for targets outside their automated exploitation pipeline.
In April 2026, ShinyHunters breached Charter Communications by voice phishing a single employee with access to Microsoft Entra. That social engineering attack provided SSO credentials enabling a direct Salesforce data export. Charter disputes the full scope, but ShinyHunters claims 40 million customer records stolen including names, addresses, phone plan data, and customer support history. The full details of that attack are covered in our ShinyHunters vishing attack on Charter Communications.
Earlier in 2026, the group targeted Instructure Canvas, the learning management system used by more than 9,000 educational institutions worldwide, in a breach potentially affecting 275 million users. The FBI responded with PSA260515 in May 2026, warning that ShinyHunters was escalating pressure on victims through threatening calls, texts to family members, and swatting.
Also in June 2026, ShinyHunters publicly claimed the Eastman Kodak breach, posting 45 GB of internal corporate files, and published 45 GB of internal data from Madison Square Garden Sports after MSG declined to negotiate a ransom.
The PeopleSoft campaign represents the group's most technically sophisticated operation to date, combining a previously unknown zero-day with automated lateral movement tooling to compromise more than 100 organizations simultaneously, before the vendor was even aware a vulnerability existed.
Charter breach via vishing; 40M records claimed
April 2026: ShinyHunters uses voice phishing to steal an employee's Microsoft Entra SSO credentials, enabling direct Salesforce export of 40 million Charter Communications customer records.
PeopleSoft zero-day campaign; 100+ orgs hit
May 27, 2026: ShinyHunters begins exploiting CVE-2026-35273 as a zero-day against Oracle PeopleSoft instances globally, targeting higher education institutions and enterprises before any patch exists.
Oracle patches CVE-2026-35273; Mandiant notifies victims
June 10, 2026: Oracle releases emergency out-of-band advisory. Mandiant begins notifying more than 100 compromised organizations, 68 percent of which are colleges and universities.
Who Is at Risk: Current ShinyHunters Targeting and Sectors
Higher education is ShinyHunters' primary confirmed target sector in 2026, with 68 percent of organizations notified by Mandiant following the PeopleSoft campaign identified as colleges and universities. This targeting aligns directly with PeopleSoft's dominant market share in higher education student information systems, human resources, and financial management.
Beyond education, the group has demonstrated willingness to target any organization that runs widely deployed enterprise platforms exposed to the internet. In 2025 and 2026, confirmed verticals include telecommunications (Charter Communications, AT&T), finance (Banco Santander), retail and luxury goods (Adidas, Kering, LVMH subsidiaries), technology (Google, Cisco), aviation (Qantas), and government (European Commission, Dominican Republic law enforcement). The connecting thread is enterprise SaaS or on-premise platforms with internet-facing components.
Organizations that should treat themselves as high-priority targets: any entity running Oracle PeopleSoft PeopleTools 8.61 or 8.62 that did not apply the June 10 emergency patch within 48 hours of release; any institution using Instructure Canvas that received a security notification in early 2026; any Salesforce customer that relies on SSO without phishing-resistant MFA on its Entra ID accounts.
The FBI's PSA260515 specifically names universities and colleges as the highest-risk sector for ShinyHunters extortion in the current environment. If your organization receives contact from an unverified individual claiming to possess your data, cross-reference your PeopleSoft patch history and Mandiant notification status before deciding how to respond.
How to Detect and Hunt ShinyHunters in Your Environment
Detecting an active or past ShinyHunters intrusion requires checking three artifact layers: network telemetry, filesystem artifacts, and authentication logs. Start with the highest-confidence indicators before expanding scope.
In web server logs, search for HTTP POST requests targeting /PSEMHUB/hub and /PSIGW/HttpListeningConnector from external or untrusted IP addresses. Any server-side request forgery indicators: loopback addresses such as 127.0.0.1 or ::1 in request parameters: confirm exploitation attempts against the EM Hub.
On the filesystem, search all paths under PeopleSoft WebLogic deployments for unexpected .jsp files inside /webserv/applications/peoplesoft/PSEMHUB.war/. The defacement file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in any WebLogic or Process Scheduler directory is a near-certain compromise indicator. Scan for any file matching the pattern [abbreviation]_fanout.sh anywhere in the application tier.
In network telemetry, block and alert on outbound connections to azurenetfiles.net and any IP in the 142.11.200.186/29 range. Hunt for outbound WebSocket Secure connections on port 443 to domains not in your approved SaaS allowlist. SSH sessions to 176.120.22.24 indicate that data exfiltration has already occurred.
In endpoint detection and response telemetry, search for the four MeshCentral binary hashes published by Mandiant. Any process named meshagent64-azure-ops.exe, meshagent64-v2.exe, or meshagent32-azure-ops.exe should be treated as malicious until proven otherwise, regardless of code signing status.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
ShinyHunters Oracle PeopleSoft exploit activity is ongoing and the group shows no sign of slowing despite multiple law enforcement actions. Three key takeaways: CVE-2026-35273 carries a CVSS score of 9.8 and was exploited as a zero-day against more than 100 organizations before Oracle issued a patch; 68 percent of confirmed victims are higher education institutions, but every internet-facing PeopleSoft deployment in every sector was at risk; and ShinyHunters uses MeshCentral agents disguised as Azure services, meaning many compromised organizations may not yet know they were hit. Apply the Oracle emergency patch, block the IOCs listed above, and audit your PeopleSoft web server logs for POST requests to /PSEMHUB/hub before end of day today.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
Who is ShinyHunters?
ShinyHunters is a financially motivated cybercriminal group that has operated since 2020, responsible for more than 400 confirmed organizational breaches and an estimated 1.79 billion cumulative stolen records. Google Mandiant tracks the group as UNC6240. The group operates as a decentralized network of threat clusters under the ShinyCorp brand, placing it within the broader The Com cybercriminal ecosystem alongside affiliates including Scattered Spider. Its primary objective is financial: breach an organization, exfiltrate data, demand ransom, and publish or auction data if payment is refused.
What TTPs does ShinyHunters use?
ShinyHunters uses a multi-stage playbook that maps to MITRE ATT&CK. Initial access comes through exploiting internet-exposed enterprise platforms (T1190) or voice phishing to steal SSO credentials (T1566.004). Persistence relies on MeshCentral remote access agents masquerading as Azure services (T1036.005). Lateral movement uses a custom SSH credential-spraying script named fanout.sh (T1021.004). Exfiltration uses zstd-compressed archives uploaded via SSH to staging infrastructure (T1002). The group systematically targets Salesforce, Oracle PeopleSoft, and other widely deployed SaaS and on-premise platforms.
Which sectors does ShinyHunters target?
ShinyHunters has confirmed victims in higher education (68 percent of the 2026 PeopleSoft campaign), telecommunications (Charter Communications, AT&T), finance (Banco Santander), retail and luxury goods (Adidas, Kering), technology (Google, Cisco), aviation (Qantas), and government (European Commission). The targeting pattern follows platform availability rather than sector preference: the group identifies a widely deployed enterprise application with a critical vulnerability, builds automation to exploit it at scale, and breaches hundreds of organizations before most detect the intrusion.
How do I detect ShinyHunters activity in my environment?
Check three artifact layers: web server logs for HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector from external IPs; filesystem for README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in WebLogic directories and unexpected .jsp files in PSEMHUB.war; and network telemetry for outbound connections to azurenetfiles.net or the 142.11.200.186/29 IP range. In endpoint detection logs, search for the MeshCentral binary hashes published by Mandiant, including meshagent64-azure-ops.exe (SHA-256: f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc).
Has ShinyHunters been indicted or sanctioned?
Yes. French national Sebastien Raoult was sentenced in January 2024 to three years in US federal prison plus $5 million in restitution for his role in ShinyHunters operations. Matthew D. Lane, a Massachusetts student, pleaded guilty in June 2025 to extortion charges connected to the PowerSchool breach. French authorities arrested four additional suspected members in June 2025. Despite these prosecutions, the group continued operating and escalated activity through 2026, reflecting its decentralized structure and low barriers to entry for new recruits.
How did ShinyHunters exploit Oracle PeopleSoft?
ShinyHunters exploited CVE-2026-35273, a CVSS 9.8 unauthenticated remote code execution vulnerability in Oracle PeopleSoft PeopleTools 8.61 and 8.62. The attack targeted the Environment Management Hub component via HTTP POST requests to two exposed endpoints: /PSEMHUB/hub and /PSIGW/HttpListeningConnector. No credentials or user interaction were required. The group combined CVE-2026-35273 with older PeopleSoft vulnerabilities in a gadget chain to achieve full remote code execution, then deployed MeshCentral agents for persistent access before Oracle released its emergency patch.
What data does ShinyHunters steal and what happens if you do not pay?
ShinyHunters exfiltrates whatever data the compromised platform manages: student records and HR data from PeopleSoft, customer data and support tickets from Salesforce, and platform credentials from SaaS integrations. If a victim refuses to pay, the group publishes stolen data on Tor-based leak sites or auctions it to other threat actors. The FBI has documented additional pressure tactics including threatening phone calls and text messages to victims and their family members, as well as swatting to generate law enforcement pressure.
How do I know if my organization was affected by the June 2026 PeopleSoft campaign?
Mandiant has been notifying affected organizations directly if they were identified during the campaign. If you have not received a Mandiant notification but run PeopleSoft PeopleTools 8.61 or 8.62, treat your environment as potentially compromised if the June 10 emergency patch was not applied within the first 24 to 48 hours of release. Audit your web server logs for HTTP POST requests to /PSEMHUB/hub from external IPs dating back to May 27, 2026 or earlier as the earliest exploitation indicator.
Sources & references
- Google Cloud / Mandiant: ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
- Arctic Wolf: Critical Oracle PeopleSoft Vulnerability Actively Exploited in ShinyHunters Campaign
- FBI IC3 PSA260515: ShinyHunters Cyber Criminal Group Attacks Learning Management System
- BleepingComputer: Charter Confirms Data Breach After ShinyHunters Extortion Threat
- NVD: CVE-2026-35273 Detail
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
