Do Son 
Mandiant and Google Threat Intelligence Group (GTIG) recently uncovered a massive cyberattack. The notorious ShinyHunters group launched an active extortion campaign globally. They specifically targeted the education sector. The hackers used a critical Oracle PeopleSoft exploit to breach network infrastructures. Security experts track this severe vulnerability as CVE-2026-35273. It allows remote code execution. Furthermore, it holds a CVSS score of 9.8. The attackers executed this flaw against Environment Management Hub endpoints. Because this malicious activity predates the official June 10 advisory, hackers exploited it as a dangerous zero-day. Consequently, many universities faced severe data breaches.
Targeting the Higher Education Sector
Initially, security researchers notified over 100 global organizations. They noticed these specific IP addresses correlated with potentially vulnerable endpoints. Furthermore, most of these affected institutions operated in the United States. Surprisingly, 68 percent functioned within the higher education sector. This concentration highlights a clear strategic preference for academic data. The attackers focused entirely on unpatched enterprise software. Therefore, securing these legacy systems quickly became an urgent priority for IT departments. Some organizations successfully blocked the activity. However, others experienced total network compromise.
Analyzing the Attacker Infrastructure
Public reports soon revealed open attacker directories on staging servers. A security researcher highlighted these directories on social media. This discovery allowed GTIG to perform a detailed triage of the threat actor’s operations. The staging environments hosted customized MeshCentral agents. These agents cleverly masqueraded as legitimate cloud endpoints. For example, attackers used file names like meshagent32-azure-ops.exe. They used these remote management tools to run administrative command queries. Next, they deployed a custom lateral movement script. The attackers specifically named this malicious shell script to match victim abbreviations.
Extensive Reconnaissance Operations
The exposed command history reveals fascinating operational details. On May 27, 2026, the attackers installed the acme-client npm package. They used this package to automate SSL certificate provisioning. They secured certificates for their masquerading domain named azurenetfiles.net. Furthermore, the hackers mapped internal subnet hosts by querying local hosts tables. They meticulously audited network configurations and active mounts on compromised hosts. They also inspected WebLogic XML configurations to map internal application servers. Consequently, they gained complete visibility into the target network architecture. This extensive reconnaissance enabled devastating lateral movement capabilities.
Extortion and Data Leaks
The hackers wrote a propagation script directly to the temporary directory. It automatically initiated SSH credential spraying against internal hosts. Subsequently, the script copied a defacement marker file into critical web directories. The report states, “This campaign directly correlates with subsequent data leaks of stolen organization data published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026.” Before publishing the data, they compressed exfiltrated directories containing stolen files. They used tools like zstd for efficient compression. The stolen files included sensitive student finance data and billing records. Finally, they established an outbound SSH connection to their public clearnet mirror. The extortionists gave victims a final warning to pay up. You can read the complete technical breakdown in the official Mandiant and GTIG threat report.
Defending Against the Attack
Administrators must apply robust mitigations immediately to stop this Oracle PeopleSoft exploit. First, disable the Environment Management Hub service completely. You must follow Oracle’s security alert guidance carefully. Alternatively, completely remove the PSEMHUB application from single-server configurations. If disabling the service is impossible, block external access at the network firewall. Furthermore, monitor your outbound NetFlow data carefully. Watch for outbound SMB traffic originating from PeopleSoft servers to untrusted destinations. Check your web-tier filesystem for any unexpected JSP files. Proactive defense remains your absolute best strategy against ransomware operators.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
