ShinyHunters Targets Oracle PeopleSoft Servers in Mass Data Theft Campaign
ShinyHunters has claimed a broad intrusion campaign against Oracle PeopleSoft servers, saying it compromised roughly 300 instances across more than 100 organizations, with universities and other education-sector entities appearing to be the primary victims. The group told reporters it exfiltrated sensitive student and administrative records, including applicant, financial aid, immigration, health, and contact data, and identified Nottingham University as one victim; the university acknowledged a cybersecurity incident. One member of the group also said an attempted breach of an FBI PeopleSoft server was intended to post a denial of the gang’s involvement in recent swatting incidents, but that effort allegedly failed.
Reporting indicates the attacks are tied to data theft and extortion activity and may involve a gadget chain using older flaws alongside a possible zero-day, with impact varying by PeopleSoft configuration. Independent research found exposed directories containing tooling linked to the campaign, including MeshCentral agents, a defacement script, a credential-spraying tool, and infrastructure associated through TLS certificates with azurenetfiles[.]net. Investigators also observed a shell script that parsed /etc/hosts, attempted SSH access with common PeopleSoft and Oracle administrative accounts, and dropped a ransom note named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT on compromised internal PeopleSoft servers, while Oracle had not publicly commented on the allegations at the time of reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Mandiant and Rapid7 publish PeopleSoft IOCs and defensive guidance
Mandiant and Rapid7 published indicators of compromise related to the PeopleSoft exploitation campaign and urged customers to take immediate defensive action. The reporting also described attacker reconnaissance of PeopleSoft and WebLogic configuration files and SSH-based exfiltration to infrastructure hosting the ShinyHunters leak site.
Mandiant says PeopleSoft extortion campaign remains active
Mandiant warned that exploitation of CVE-2026-35273 and related extortion activity were still ongoing, indicating the PeopleSoft campaign had not ended after Oracle's alert and victim notifications. The report said ShinyHunters was actively extorting universities while no patch had yet been released.
Mandiant attributes PeopleSoft attacks to UNC6240
Google Mandiant attributed the PeopleSoft exploitation activity to UNC6240 and said it observed attacks exploiting CVE-2026-35273 from 2026-05-27 through 2026-06-09, before Oracle published its advisory. Mandiant also said it notified more than 100 organizations with vulnerable endpoints, with 68% in higher education.
Oracle issues security alert and mitigations for CVE-2026-35273
After the PeopleSoft incident became public, Oracle issued an out-of-band security alert for CVE-2026-35273, a critical PeopleSoft Enterprise PeopleTools flaw said to allow remote unauthenticated compromise. The reference says Oracle had reportedly released mitigations, though it was unclear whether a full patch was available.
Nottingham breach disclosed as affecting 454,600 people
The University of Nottingham disclosed that attackers accessed its student records system, exposing data affecting 454,600 current and former students. The university said it reported the incident to the UK's Information Commissioner's Office and Action Fraud and is working with the third-party platform maintainer on a forensic investigation.
Nottingham University acknowledges a cybersecurity incident
After being identified by the threat actor as a victim, Nottingham University acknowledged that it had experienced a cybersecurity incident. The reference does not provide a specific date for the university's acknowledgment.
Researcher uncovers tooling and infrastructure tied to the campaign
Independent researcher Michael R found exposed directories containing tooling linked to the attacks, including MeshCentral agents, a defacement script, a credential spray script, and infrastructure associated via TLS certificates with azurenetfiles[.]net. The tooling also included a shell script that parsed /etc/hosts, attempted SSH access with common PeopleSoft and Oracle administrative accounts, and dropped a ransom note on compromised internal PeopleSoft servers.
ShinyHunters launches PeopleSoft data theft campaign
ShinyHunters claimed it compromised Oracle PeopleSoft servers at more than 100 organizations and exfiltrated data from roughly 300 instances, with many alleged victims in the education sector. The group said it used a gadget chain involving old and zero-day vulnerabilities, with success depending partly on instance configuration.
Stolen PeopleSoft data published on ShinyHunters leak infrastructure
Archives of data stolen in the PeopleSoft campaign were published on June 9, 2026, on infrastructure linked to the ShinyHunters data leak site. The reference says the exfiltrated data had been compressed with zstd and transferred to that infrastructure before publication.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data - Ars Technica
arstechnica.com
Open sourceShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw | CyberScoop
cyberscoop.com
Open sourceFaille critique Oracle PeopleSoft : ShinyHunters exploite une 0-d ...
zdnet.fr
Open sourceOracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters - Cyber Security News
cybersecuritynews.com
Open sourceOracle warns of security bug that hackers abused to breach 100+ companies | TechCrunch
techcrunch.com
Open sourceShinyHunters gang targets Oracle PeopleSoft servers in data theft attacks | brief | SC Media
scworld.com
Open sourceOracle PeopleSoft servers hacked in ShinyHunters data theft attacks
bleepingcomputer.com
Open sourceCybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Exploits Oracle PeopleSoft to Breach Universities
ShinyHunters used an Oracle PeopleSoft exploit to compromise organizations in the education sector, with exposed attacker infrastructure showing staging materials, customized MeshCentral agents, and command history tied to the intrusions. Public reporting identified five sequential attacker-controlled IP addresses serving open Python SimpleHTTP directories on port `8888`, while the operators deployed Windows MeshCentral agents disguised as Microsoft Azure services and configured them to beacon to `wss://azurenetfiles.net:443/agent.ashx`, a domain crafted to resemble Azure NetApp Files branding. Google Threat Intelligence Group said more than 100 exposed organizations were notified, and **68%** of them were in higher education; some victims later had stolen data posted on the ShinyHunters data leak site. The recovered `.bash_history` indicated the attackers installed MeshCentral `v1.1.59` on May 27, 2026, added the `acme-client` npm package to automate Let's Encrypt certificates, used `meshctrl.js` for reconnaissance on compromised systems, examined Oracle PeopleSoft and WebLogic configurations, and then connected outbound over SSH to `176.120.22.24`, identified as the public clearnet mirror of the ShinyHunters leak site.
Jun 12, 2026
Oracle E-Business Suite Data Theft Extortion Campaign
Oracle has confirmed that its customers are being targeted by data-stealing extortionists who are demanding ransoms in exchange for not leaking stolen data. The attackers are specifically focusing on organizations using Oracle E-Business Suite (EBS), with multiple cybersecurity firms reporting that executives at these organizations have received ransom emails demanding up to $50 million. Oracle has stated that, based on its ongoing investigation, there is no evidence that a zero-day vulnerability is being exploited in these attacks. Instead, the attackers appear to be leveraging previously identified vulnerabilities that were addressed in Oracle's July 2025 critical patch update. Of the 309 security patches issued in that update, nine were for Oracle EBS, with three of those vulnerabilities being remotely exploitable without authentication. The attackers are believed to be gaining access through internet-facing Oracle EBS portals, particularly by targeting local accounts that lack multifactor authentication (MFA), thereby bypassing enterprise single sign-on controls. Cybersecurity firm Halcyon highlighted that the absence of MFA on these accounts is a key factor enabling the attackers to compromise systems. Oracle has strongly reiterated its recommendation that all customers apply the latest critical patch updates to mitigate these risks. The extortion campaign has caused significant concern among Oracle EBS users, as the attackers claim to have accessed sensitive data and are threatening to leak it unless their demands are met. The campaign underscores the importance of timely patch management and the implementation of robust authentication controls, especially for systems exposed to the internet. Security experts warn that organizations failing to update their Oracle EBS installations remain at heightened risk of compromise. The incident has also prompted renewed calls for organizations to review their security posture, particularly regarding privileged account management and the enforcement of MFA. While Oracle continues to investigate the full scope of the campaign, the company maintains that customers who have applied the July 2025 patches are protected against the vulnerabilities being exploited. The situation highlights the ongoing threat posed by extortion-focused cybercriminals and the critical need for organizations to maintain up-to-date security measures. The campaign has also drawn attention to the broader issue of patch adoption lag, as many organizations continue to use outdated software versions despite available fixes. Oracle's response has included direct communication with affected customers and public advisories emphasizing the urgency of patching. The extortion emails and the technical details of the attack have been corroborated by multiple cybersecurity research firms, lending credibility to the reported tactics. The incident serves as a stark reminder of the evolving tactics of cyber extortionists and the persistent risks facing organizations that delay critical security updates.
Mar 21, 2026
Oracle E-Business Suite Zero-Day Exploited for Remote Code Execution and Data Theft
Oracle E-Business Suite (EBS) was found to contain a critical zero-day vulnerability, tracked as CVE-2025-61884 and CVE-2025-61882, which allowed unauthenticated remote code execution and was actively exploited by threat actors, including the Clop ransomware group. The vulnerability, present in EBS versions 12.2.3 through 12.2.14, enabled attackers to access sensitive resources without authentication by exploiting a pre-authentication Server-Side Request Forgery (SSRF) flaw. Oracle released an out-of-band security update to address the issue, but did so without publicly acknowledging that the flaw was being actively exploited or that a proof-of-concept exploit had been leaked by the ShinyHunters extortion group. Security researchers and customers confirmed that the patch addressed the SSRF vulnerability used in the attacks. The exploit chain was complex, involving an unauthenticated HTTP POST to a specific servlet, manipulation of return_url parameters to trigger SSRF, CRLF/header injection, HTTP connection reuse, and ultimately the delivery of a malicious XSL stylesheet. This XSLT payload, containing embedded Java code, was processed by the server, leading to arbitrary code execution and the potential for attackers to spawn reverse shells. The Clop ransomware group sent extortion emails to Oracle EBS customers, claiming to have stolen sensitive data by exploiting this flaw, and confirmed their involvement in the campaign. The attack campaign was detected by Mandiant and Google, who observed that multiple threat actors were leveraging the vulnerability for data theft and extortion. The exploit chain demonstrated the risk of chaining multiple weaknesses in enterprise software to achieve full remote code execution. Security vendors, such as Imperva, responded by confirming protection for their customers against this exploit. The incident highlighted Oracle's lack of transparency regarding active exploitation and the public availability of exploit code. The technical details of the exploit, including SSRF, CRLF injection, and XSLT-based code execution, underscored the sophistication of the attack. The vulnerability's exploitation in the wild emphasized the importance of rapid patching and monitoring for signs of compromise in Oracle EBS environments. The campaign also illustrated the ongoing threat posed by ransomware and extortion groups targeting critical business applications. Organizations using Oracle EBS were urged to apply the security update immediately and review their systems for indicators of compromise. The incident raised concerns about the security of widely used enterprise resource planning (ERP) platforms and the need for proactive vulnerability management.
Mar 21, 2026