ShinyHunters has spent 2026 turning enterprise SaaS and ERP platforms into a serial hunting ground — Salesforce, Workday-adjacent HR systems, and a string of vishing-driven heists. Its latest target is Oracle PeopleSoft, and the entry point was a zero-day that required no credentials at all.

Google’s Mandiant — which tracks the group as UNC6240 — confirmed that ShinyHunters exploited CVE-2026-35273, a critical (CVSS 9.8) unauthenticated remote-code-execution flaw in Oracle PeopleSoft, to break into more than 100 organizations across roughly 300 compromised instances. Oracle issued an out-of-band security advisory with emergency mitigations on June 10, 2026, and the University of Nottingham confirmed a breach a day later. The campaign’s defining feature: 68% of the victims are universities and colleges, the overwhelming majority in the United States.

A front door with no lock

CVE-2026-35273 lives in PeopleSoft’s Environment Management component — specifically the Environment Management Hub (PSEMHUB) endpoint at /PSEMHUB/hub. In Oracle’s own words, the flaw “is remotely exploitable without authentication” and “may result in remote code execution.” No login, no user interaction, just network access to an exposed endpoint.

That last point is what makes higher education such fertile ground. PeopleSoft runs the HR, payroll, and student-administration backbone for a huge swath of universities, and those instances are frequently internet-facing so that students and staff can reach them from anywhere. An unauthenticated RCE bug on an internet-exposed ERP system is close to a worst-case scenario — and ShinyHunters treated it like one.

The affected software spans PeopleTools 8.61 and 8.62, plus older unsupported versions.

Inside the campaign

Mandiant’s forensics lay out a disciplined, repeatable playbook. Staging infrastructure went live as early as May 27, 2026, more than two weeks before disclosure. After exploiting the /PSEMHUB/ endpoint for code execution, the attackers deployed custom MeshCentral remote-management agents disguised as Microsoft Azure NetApp binaries — files like meshagent64-azure-ops.exe beaconing to a command-and-control domain crafted to blend in (azurenetfiles.net). From there they sprayed SSH credentials to move laterally, compressed stolen data with zstd, and exfiltrated it to a leak-site mirror.

Then came the extortion. This is textbook ShinyHunters double-extortion: steal the data, post the victim to a leak site, and publish if the ransom isn’t paid. On June 9, data began appearing on the group’s leak site.

Nottingham: ~455,000 records, passports and disability data included

The first named, confirmed victim is the University of Nottingham in the UK. ShinyHunters listed the university and then published data after apparent non-payment. Reported exposure figures vary by outlet but land around 454,600 records / 455,000 unique email addresses, with the stolen fields including names, addresses, phone numbers, and — far more sensitively — passport numbers, ethnicity data, and disability information.

That category of data is what makes the higher-education angle more than a numbers story. Student systems hold immigration documents, accommodation records, and demographic detail that can fuel identity fraud and targeted harassment long after the breach itself fades from the news.

Two Oracle campaigns, don’t confuse them

It would be easy to file this alongside the Cl0p rampage through Oracle that dominated late 2025 — but they are distinct operations against different products:

  • This campaign: ShinyHunters / UNC6240, Oracle PeopleSoft (PeopleTools), CVE-2026-35273, June 2026.
  • Late 2025: Cl0p, Oracle E-Business Suite, CVE-2025-61882, beginning around September 2025.

Different actor, different Oracle product, different CVE, different timeframe. The connective tissue is that ShinyHunters publicly amplified the Cl0p EBS exploit last October, and both groups orbit the loose “Scattered Lapsus$ Hunters” milieu — but conflating them muddies the response. If you run PeopleSoft, the EBS patch does nothing for you.

What to do now

  • Treat PeopleSoft as compromised until proven otherwise if your /PSEMHUB/ endpoint was internet-reachable during the May 27 – June 9 window. Assume-breach is the correct posture here.
  • Apply Oracle’s out-of-band mitigations for CVE-2026-35273 immediately; confirm full-patch availability through Oracle support and don’t rely on mitigation-only as a permanent fix.
  • Hunt for the IOCs — rogue MeshCentral agents masquerading as Azure NetApp binaries, beacons to azurenetfiles.net, anomalous SSH credential-spraying, and the defacement marker README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
  • Get PeopleSoft off the open internet where possible, behind VPN or zero-trust access.

Specific ransom demands haven’t been disclosed, and the 100+ victim figure originates with the attackers’ own claims (corroborated by Mandiant’s notifications). What is not in doubt is the shape of the thing: another internet-facing enterprise platform, another unauthenticated RCE, another ShinyHunters extortion spree — this time with universities, and their students’ most sensitive records, in the crosshairs.

Sources