ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
Mandiant and Google Threat Intelligence Group identified an active extortion campaign by UNC6240 (ShinyHunters) exploiting CVE-2026-35273, a critical zero-day RCE vulnerability in Oracle PeopleSoft. The threat actors targeted the higher education sector, deploying customized MeshCentral agents for C2 and utilizing custom scripts for lateral movement, defacement, and data exfiltration.
- cve
- domainazurenetfiles[.]netC2 domain masquerading as legitimate Microsoft Azure NetApp Files.
- filenameREADME-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXTDefacement and extortion marker file dropped on compromised systems.
- ip142[.]11[.]200[.]186Attacker staging server hosting Python SimpleHTTP servers.
- ip142[.]11[.]200[.]187Attacker staging server.
- ip142[.]11[.]200[.]188Attacker staging server.
- ip142[.]11[.]200[.]189Attacker staging server.
- ip142[.]11[.]200[.]190Attacker staging server.
- ip176[.]120[.]22[.]24IP address hosting the public clearnet mirror of the ShinyHunters Data Leak Site (DLS).
- sha2562ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35Attacker .bash_history file recovered from staging servers.
- sha25668257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309Unconfigured Linux MeshCentral agent (meshagent).
- sha256c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711fPre-configured Windows MeshCentral agent (meshagent32-azure-ops.exe).
- sha256d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2fPre-configured Windows MeshCentral agent (meshagent64-v2.exe).
- sha256f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fcPre-configured Windows MeshCentral agent (meshagent64-azure-ops.exe).
Detection / HunterGoogle
What Happened
Cybercriminals known as ShinyHunters have been exploiting a critical flaw in Oracle PeopleSoft software to breach organizations, particularly universities and colleges. The attackers used this vulnerability to gain unauthorized access, install remote management tools, and steal sensitive data like billing and student records. This breach highlights the severe risk of unpatched enterprise software and the aggressive tactics of extortion groups. Organizations using Oracle PeopleSoft should immediately apply the latest security patches and restrict external access to vulnerable system components.
Key Takeaways
- UNC6240 (ShinyHunters) exploited a zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft's Environment Management Hub.
- The campaign heavily targeted the higher education sector, leading to data theft and extortion.
- Attackers deployed customized MeshCentral agents masquerading as Microsoft Azure services for command and control.
- Lateral movement was automated using a custom bash script that performed SSH credential spraying across internal hosts.
- Immediate mitigation requires blocking external access to specific PSEMHUB endpoints and applying Oracle patches.
Affected Systems
- Oracle PeopleSoft application infrastructure
- Environment Management Hub (PSEMHUB) endpoints
- Integration Broker Listening Connector (/PSIGW/HttpListeningConnector)
- Windows and Linux servers hosting PeopleSoft
Vulnerabilities (CVEs)
- CVE-2026-35273
Attack Chain
The attackers exploited CVE-2026-35273 in Oracle PeopleSoft's Environment Management Hub to gain initial access. They established C2 using customized MeshCentral agents communicating with a domain masquerading as an Azure service. For lateral movement, they deployed a custom bash script that performed SSH credential spraying across internal hosts mapped from the /etc/hosts file. Finally, they compressed stolen data using zstd and exfiltrated it to their Data Leak Site infrastructure via SSH.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide ready-to-use detection rules but offers behavioral indicators, file paths, and network telemetry patterns for hunting.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions can detect the execution of unauthorized binaries (MeshCentral agents), suspicious shell commands (zstd, sshpass), and the creation of defacement text files across multiple directories. Network Visibility: Medium — Network sensors can detect outbound connections to unusual ports or known malicious IPs, as well as SSRF attempts in HTTP requests, though WSS traffic to the C2 is encrypted. Detection Difficulty: Moderate — While the initial exploit might blend with normal web traffic, the subsequent lateral movement (SSH spraying) and use of customized remote management tools provide clear behavioral signals.
Required Log Sources
- Web application access logs (WebLogic)
- Process creation logs (Event ID 4688 / Sysmon Event ID 1)
- File creation logs
- Firewall/NetFlow logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for outbound SMB traffic (TCP 445) originating from PeopleSoft web servers to public IP addresses, which may indicate forced authentication attempts. | Firewall/NetFlow logs | Credential Access | Low |
Look for the execution of sshpass combined with ssh commands originating from web application service accounts, indicating potential lateral movement. | Process creation logs | Lateral Movement | Low |
Search for the creation of unexpected .jsp files in the WebLogic PSEMHUB.war directory or .xml files in the envmetadata directory. | File creation logs | Persistence | Low |
Monitor for HTTP POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector originating from external or untrusted IP addresses. | Web application access logs | Initial Access | Medium |
Control Gaps
- Lack of network segmentation isolating PeopleSoft administrative endpoints from the public internet.
- Insufficient monitoring of outbound connections from application servers.
Key Behavioral Indicators
- Execution of
meshctrl.jsormeshagentbinaries on application servers. - Use of
zstdfor archiving large amounts of data in unusual directories. - Creation of files named
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- If applicable, immediately block external network access to
/PSEMHUB/*and/PSIGW/HttpListeningConnectorendpoints. - Apply all relevant Oracle Critical Patch Updates addressing CVE-2026-35273.
Infrastructure Hardening
- Evaluate whether administrative and system-to-system components of PeopleSoft can be isolated from public-facing networks.
- Implement strict egress filtering on application servers to prevent unauthorized outbound connections (e.g., blocking outbound SMB/TCP 445).
User Protection
- Consider rotating all administrative and application-specific credentials that may have been exposed during the campaign.
- Ensure EDR agents are deployed and actively monitoring critical application servers.
Security Awareness
- Educate IT and application administrators on the risks of exposing management interfaces to the internet.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1071.001 - Application Layer Protocol: Web Protocols
- T1036.005 - Masquerading: Match Legitimate Name or Location
- T1110.003 - Brute Force: Password Spraying
- T1048 - Exfiltration Over Alternative Protocol
- T1560.001 - Archive Collected Data: Archive via Utility
- T1491.001 - Defacement: Internal Defacement
Additional IOCs
- Ips:
142[.]11[.]200[.]187- Attacker staging server.142[.]11[.]200[.]188- Attacker staging server.142[.]11[.]200[.]189- Attacker staging server.142[.]11[.]200[.]190- Attacker staging server.
- File Hashes:
d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f(sha256) - Pre-configured Windows MeshCentral agent (meshagent64-v2.exe).c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f(sha256) - Pre-configured Windows MeshCentral agent (meshagent32-azure-ops.exe).68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309(sha256) - Unconfigured Linux MeshCentral agent (meshagent).2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35(sha256) - Attacker .bash_history file recovered from staging servers.
- File Paths:
/u01/app/psoft/ps_config_homes/csprd/appserv/prcs/psappsrv.cfg- Oracle PeopleSoft process scheduler configuration file targeted for reconnaissance.
- Command Lines:
- Purpose: Check for the availability of binary signing or metadata tools. | Tools:
npm| Stage: Reconnaissance |npm list global authenticode - Purpose: Extract machine names and IP addresses from PeopleSoft configuration files. | Tools:
grep| Stage: Discovery - Purpose: Trigger the execution of the lateral propagation script on compromised hosts. | Tools:
node,meshctrl.js| Stage: Execution |node meshctrl.js RunCommand --loginuser admin --loginpass - Purpose: Compress exfiltrated directories containing stolen data. | Tools:
pv,zstd| Stage: Collection |zstd -3 -T0 -o exfil.tar.zst - Purpose: Perform SSH credential spraying against internal hosts. | Tools:
sshpass,ssh| Stage: Lateral Movement |sshpass -p <password> ssh -o StrictHostKeyChecking=no
- Purpose: Check for the availability of binary signing or metadata tools. | Tools:
