{
  "name": "Targets Education Sector with Oracle PeopleSoft Exploit",
  "slug": "targets-education-sector-with-oracle-peoplesoft-exploit",
  "description": "Between May 27 and June 9, 2026, UNC6240 (ShinyHunters) conducted an active compromise and extortion campaign targeting Oracle PeopleSoft application infrastructure. The threat actor exploited CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component, as a zero-day before Oracle's June 10, 2026 advisory. Over 100 organizations were potentially affected, with 68 percent operating in higher education and most based in the United States. Attackers deployed customized MeshCentral agents masquerading as Microsoft Azure services, established C2 infrastructure at azurenetfiles.net, and used lateral movement scripts to propagate across internal networks. The campaign culminated in data exfiltration and publication of stolen data on the ShinyHunters Data Leak Site on June 9, 2026. Compromised systems received defacement markers and extortion notices.",
  "published": "2026-06-11T21:09:39.327000+00:00",
  "created_at": "2026-06-15T19:16:13.677000+00:00",
  "modified_at": "2026-06-15T17:16:13+00:00",
  "created_at_opencti": "2026-06-15T19:16:13.677000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "cve-2026-35273",
    "data extortion",
    "higher education",
    "lateral movement",
    "meshcentral",
    "oracle peoplesoft",
    "shinyhunters",
    "unc6240",
    "zero-day exploitation"
  ],
  "tags": [
    "2026-06-11",
    "CVE-2026-35273",
    "data extortion",
    "higher education",
    "lateral movement",
    "meshcentral",
    "oracle peoplesoft",
    "shinyhunters",
    "unc6240",
    "zero-day exploitation"
  ],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "86ae2ab6-ca89-43bf-b396-2fe073eac092",
        "name": "CVE-2026-35273"
      }
    ],
    "indicators": [
      {
        "id": "d20da265-8c30-4ba3-bc03-80038bf3d799",
        "name": "azurenetfiles.net"
      },
      {
        "id": "7dc1d0b9-6c70-4918-89c0-db7a3426423c",
        "name": "d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f"
      },
      {
        "id": "85a57da1-f068-46d3-8cd1-6c8281877681",
        "name": "2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35"
      },
      {
        "id": "c08f0cf4-c461-4319-ac75-d3a513dab53d",
        "name": "176.120.22.24"
      },
      {
        "id": "73c52a6f-5100-4b1f-bc7a-313debc0d4ab",
        "name": "c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f"
      },
      {
        "id": "0ad0cefb-f517-4516-a5f4-8851dfbd2e66",
        "name": "f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc"
      },
      {
        "id": "c3c3f17f-828f-451f-9879-0333cb54d76b",
        "name": "68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309"
      },
      {
        "id": "a4a93f06-fbae-4e21-b290-6417aa7b4289",
        "name": "http://azurenetfiles.net:443/agent.ashx"
      }
    ],
    "intrusion_sets": [
      {
        "id": "95c07ff9-ba06-4826-9d58-93f5f5ce8fca",
        "name": "UNC6240",
        "slug": "unc6240"
      }
    ],
    "attack_patterns": [
      {
        "id": "f65930b0-5581-4f3d-a367-a86ac78f407b",
        "name": "T1021.004"
      },
      {
        "id": "52279b3d-8158-4964-8c20-9094308fcd03",
        "name": "T1110.001"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "6b5f1e68-aec7-4ea0-9777-62156da790a7",
        "name": "T1069"
      },
      {
        "id": "3eb6d0bc-8d5f-4192-a97e-0a7bbbb5d0a3",
        "name": "T1491"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc",
        "name": "T1114"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "1584b551-72fb-4f60-ba7a-bdac106e6f9b",
        "name": "T1560.001"
      },
      {
        "id": "2e0c6db7-16a7-4bf6-992e-263474014fce",
        "name": "T1059.004"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "malware": [
      {
        "id": "0765c7b7-ac66-4b44-9258-f2a8d8c9754f",
        "name": "MeshCentral",
        "slug": "meshcentral"
      }
    ],
    "observables": [
      {
        "id": "b3314b6c-d155-4747-b7ff-7048003a2d99",
        "name": "azurenetfiles.net"
      },
      {
        "id": "ecd9dba5-f949-4b27-a73c-ea6dc1b83aa8",
        "name": "176.120.22.24"
      },
      {
        "id": "746adb9d-b5e5-45bc-9667-e1dd4d72d656",
        "name": "http://azurenetfiles.net:443/agent.ashx"
      },
      {
        "id": "",
        "name": "d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f"
      },
      {
        "id": "",
        "name": "2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35"
      },
      {
        "id": "",
        "name": "c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f"
      },
      {
        "id": "",
        "name": "f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc"
      },
      {
        "id": "",
        "name": "68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "azurenetfiles.net"
      }
    ]
  },
  "external_refs": [
    {
      "id": "22622e76-70c4-483f-b991-bb6f1d173ef2",
      "standard_id": "external-reference--353aa59b-9c00-5e48-8a9d-5aab2ecb7486",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a2b24138a34132bc69a0072",
      "hash": null,
      "external_id": "6a2b24138a34132bc69a0072",
      "created": "2026-06-15T19:16:13.584Z",
      "modified": "2026-06-15T19:16:13.584Z",
      "createdById": null
    },
    {
      "id": "49b2a5f9-ef22-4ab5-8251-e3d910608d58",
      "standard_id": "external-reference--efff9b5d-214b-5178-95e3-1cf458166e11",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit",
      "hash": null,
      "external_id": null,
      "created": "2026-06-15T19:16:13.613Z",
      "modified": "2026-06-15T19:16:13.613Z",
      "createdById": null
    }
  ]
}