Targets Education Sector with Oracle PeopleSoft Exploit
Essential information
- Published
- 11/06/2026 23:09
- Modified
- 15/06/2026 19:16
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cve-2026-35273 data extortion higher education lateral movement meshcentral oracle peoplesoft shinyhunters unc6240 zero-day exploitation
- Tags
- 2026-06-11 CVE-2026-35273 data extortion higher education lateral movement meshcentral oracle peoplesoft shinyhunters unc6240 zero-day exploitation
- Related entities
- 1 vulnerabilities (cve), 8 indicators, 8 observables, 1 intrusion sets (apt), 20 techniques (mitre), 1 malware, 3 others
Description
Between May 27 and June 9, 2026, UNC6240 (ShinyHunters) conducted an active compromise and extortion campaign targeting Oracle PeopleSoft application infrastructure. The threat actor exploited CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component, as a zero-day before Oracle's June 10, 2026 advisory. Over 100 organizations were potentially affected, with 68 percent operating in higher education and most based in the United States. Attackers deployed customized MeshCentral agents masquerading as Microsoft Azure services, established C2 infrastructure at azurenetfiles.net, and used lateral movement scripts to propagate across internal networks. The campaign culminated in data exfiltration and publication of stolen data on the ShinyHunters Data Leak Site on June 9, 2026. Compromised systems received defacement markers and extortion notices.