ShinyHunters used an Oracle PeopleSoft exploit to compromise organizations in the education sector, with exposed attacker infrastructure showing staging materials, customized MeshCentral agents, and command history tied to the intrusions. Public reporting identified five sequential attacker-controlled IP addresses serving open Python SimpleHTTP directories on port 8888, while the operators deployed Windows MeshCentral agents disguised as Microsoft Azure services and configured them to beacon to wss://azurenetfiles.net:443/agent.ashx, a domain crafted to resemble Azure NetApp Files branding.
Google Threat Intelligence Group said more than 100 exposed organizations were notified, and 68% of them were in higher education; some victims later had stolen data posted on the ShinyHunters data leak site. The recovered .bash_history indicated the attackers installed MeshCentral v1.1.59 on May 27, 2026, added the acme-client npm package to automate Let's Encrypt certificates, used meshctrl.js for reconnaissance on compromised systems, examined Oracle PeopleSoft and WebLogic configurations, and then connected outbound over SSH to 176.120.22.24, identified as the public clearnet mirror of the ShinyHunters leak site.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Public reporting said exploitation of Oracle PeopleSoft CVE-2026-35273 affected more than 100 potentially exposed organizations, with roughly 68% of cases in U.S. higher education, and that several institutions suffered confirmed intrusions and data theft. The report also identified the University of Nottingham as an early public victim and linked the activity cluster to UNC6240/ShinyHunters.
Public threat reporting exposed five sequential attacker-controlled IP addresses hosting open Python SimpleHTTP directories on port 8888, revealing staging materials, customized MeshCentral agents, and attacker command history. The infrastructure used Windows MeshCentral agents disguised as Microsoft Azure services and beaconed to wss://azurenetfiles.net:443/agent.ashx.
An exposed .bash_history showed the attackers installed MeshCentral v1.1.59 on their infrastructure and added the acme-client npm package for Let's Encrypt certificate automation. The same command history indicated use of meshctrl.js for reconnaissance and inspection of Oracle PeopleSoft and WebLogic configurations.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
community.gurucul.com
Open sourcehackread.com
Open sourcecloud.google.com
Open sourcecysecurity.news
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.