ShinyHunters hit 68% of their targets in higher education by exploiting a CVSS 9.8 zero-day in Oracle PeopleSoft—CVE-2026-35273—days before Oracle's advisory dropped on June 10.
Mandiant and Google Threat Intelligence Group (GTIG) tracked the campaign from May 27 to June 9, 2026. The attackers went after the Environment Management Hub (PSEMHUB) endpoint, which allowed unauthenticated remote code execution. Out of over 100 organizations notified by GTIG, 68 percent were universities and colleges, mostly in the US. Several were compromised; stolen archives appeared on the ShinyHunters Data Leak Site on June 9.
How They Built a Fake Azure Staging Server
The attackers set up five staging IPs (142.11.200.186-190) running Python SimpleHTTP servers on port 8888. The exposed directories contained pre-configured Windows MeshCentral agent binaries named meshagent32-azure-ops.exe and meshagent64-azure-ops.exe—deliberately mimicking Microsoft Azure NetApp Files. The agents called back to wss://azurenetfiles.net:443/agent.ashx. A Linux agent was also staged, but unconfigured, suggesting dynamic parameters at deploy time.
bash_history from the staging hosts (identical across all five) showed the playbook. On May 27 at 22:14 UTC, the attackers installed MeshCentral v1.1.59. Eleven minutes later, they ran acme-client to grab Let’s Encrypt SSL certificates for the fake Azure domain. On May 29, they checked for the authenticode tool to sign binaries—classic supply-chain masquerading.
Reconnaissance and the SSH Credential-Spraying Script
Using meshctrl.js, they ran reconnaissance on compromised hosts: hostname, id, and grepped psappsrv.cfg for machine names and IPs. They mounted NFS filesystems, read WebLogic config.xml, and mapped internal subnets via /etc/hosts.
The lateral movement script—named [victim_abbreviation]_fanout.sh—was written to /tmp and triggered via MeshCentral. It parsed hostnames from /etc/hosts, then sprayed a hardcoded list of common admin/application usernames and passwords via sshpass. On success, it copied a defacement marker (README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT) into WebLogic and Process Scheduler directories. The script even tried key-based SSH as a fallback.
Exfiltration used zstd compression, and the final command opened an SSH session to 176.120.22.24—the ShinyHunters DLS mirror. The whole chain, from zero-day exploitation to data publication, took less than two weeks.
What to Do Right Now
Block external access to /PSEMHUB/hub and /PSIGW/HttpListeningConnector at the network perimeter. That alone kills the primary attack vector without breaking user-facing PeopleSoft Internet Architecture sessions. Monitor WebLogic access logs for POST requests to those endpoints from untrusted IPs. Watch for outbound SMB (port 445) from PeopleSoft hosts—attackers may coerce NetNTLM hash capture.
On the filesystem, scan PSEMHUB.war for unexpected .jsp files, check envmetadata/transactions/ for unauthorized binaries, and look for recently created .xml files in envmetadata/data/environment/—those could be XMLDecoder persistence hooks.
This is not a drill. If your PeopleSoft instance is internet-facing and unpatched, assume it's been scanned at minimum. The gap between public exploit disclosure and a patch is exactly where ShinyHunters operates.
Source: ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
Domain: cloud.google.com
Comments load interactively on the live page.