ShinyHunters Exploits Oracle PeopleSoft Zero-Day

UNC6240, tracked publicly as ShinyHunters, is a financially motivated compromise and extortion group with an established pattern of mass exploitation against enterprise software. The group operates a dedicated data leak site (DLS) where stolen data is published to pressure victims into paying. Their latest campaign comprised on active exploitation against organizations running Oracle PeopleSoft; an enterprise resource planning (ERP) software suite acquired by Oracle that helps large organizations manage business processes. In a research conducted by Google Threat Intelligence, it's revealed that more than 100 organizations, 68% of which were universities or colleges have suffered in this campaign. Stolen data appeared on the ShinyHunters DLS one day before Oracle issued its official advisory, confirming the vulnerability was exploited as a zero-day throughout the entire campaign window.

The campaign focused around exploiting CVE-2026-35273 (CVSS 9.8), an unauthenticated remote code execution vulnerability in Oracle PeopleSoft's Environment Management Hub (EMHub). The attack targets two HTTP endpoints, POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector, that are reachable without authentication on internet-exposed PeopleSoft installations. Successful exploitation delivers RCE as the PeopleSoft application account. Within minutes of exploitation, operators installed MeshCentral v1.1.59 and acme-client on staging infrastructure. The MeshCentral agents, compiled for both Windows (32-bit and 64-bit) and Linux, used the filename prefix "azure-ops" and beaconed to azurenetfiles[.]net over WSS on port 443, masquerading as legitimate Microsoft Azure NetApp Files traffic. SSL certificates were provisioned automatically via acme-client, giving the C2 infrastructure a valid TLS chain.

Post-exploitation followed a structured sequence driven by a victim-specific shell script named [victim_abbreviation]_fanout.sh, executed remotely via the MeshCentral CLI utility meshctrl.js. The script parsed PeopleSoft configuration files (psappsrv.cfg, WebLogic config.xml, /etc/hosts) to map internal hostnames and IP ranges, then performed SSH credential spraying across identified hosts using sshpass with hardcoded username and password lists. Successfully reached hosts received a defacement marker file propagated via the same SSH channel. Data collected from the compromised environment was compressed with zstd and exfiltrated over an SSH tunnel to the DLS (Data Leak Site) host. The combination of a publicly disclosed zero-day, rapid tooling deployment, and a scriptable lateral movement framework allowed UNC6240 to process victim environments at scale before the vulnerability was publicly known.