🚨ShinyHunters Launches Sophisticated Attack Campaign Exploiting Oracle PeopleSoft Zero-Day Vulnerability

Introduction

The cybersecurity landscape continues to evolve at an alarming pace, with threat actors constantly searching for new ways to compromise organizations and steal valuable data. In a recent development, researchers from Google Threat Intelligence Group (GTIG) and Mandiant uncovered an active cyberattack campaign linked to the notorious hacking group ShinyHunters. The attackers exploited a critical zero-day vulnerability in Oracle PeopleSoft systems, targeting educational institutions and potentially exposing sensitive information belonging to thousands of students, faculty members, and staff.

The campaign serves as a stark reminder of the growing threat posed by zero-day vulnerabilities and the increasing sophistication of cybercriminal operations. As organizations continue to rely on enterprise software platforms for critical business functions, vulnerabilities within these systems become attractive entry points for attackers seeking financial gain through data theft and extortion.

Understanding the Threat Actor: ShinyHunters

ShinyHunters is a well-known cybercriminal group that has gained international attention for conducting large-scale data breaches and extortion campaigns. Over the years, the group has been linked to attacks against technology firms, educational institutions, online platforms, and enterprise organizations worldwide.

Unlike traditional hackers who primarily focus on disruption, ShinyHunters is known for targeting valuable datasets that can be monetized. Their activities often involve:

• Unauthorized access to enterprise systems

• Theft of customer and employee data

• Extortion attempts against victim organizations

• Publication or sale of stolen information on underground forums

The group's reputation and previous successes have made them one of the most closely monitored cybercriminal organizations by security researchers and law enforcement agencies.

The Oracle PeopleSoft Vulnerability

At the center of the attack campaign is a critical Oracle PeopleSoft vulnerability identified as CVE-2026-35273.

Oracle PeopleSoft is a widely used enterprise application suite that helps organizations manage human resources, finance, payroll, student information systems, and other essential business processes. Because it often contains highly sensitive data, it is a valuable target for cybercriminals.

Key Details of the Vulnerability

A Remote Code Execution vulnerability allows attackers to execute malicious commands on a targeted server without proper authorization. In practical terms, successful exploitation can provide attackers with near-complete control over the affected system.

What makes this incident particularly concerning is that attackers began exploiting the vulnerability before Oracle publicly disclosed it or released a patch. Such vulnerabilities are known as zero-day vulnerabilities, and they are among the most dangerous threats organizations face because there are no immediate defenses available.

How the Attack Unfolded

According to researchers, the campaign was active between late May and early June 2026. During this period, attackers scanned the internet for vulnerable Oracle PeopleSoft instances and launched exploitation attempts against exposed systems.

The attack chain consisted of several stages:

Initial Access

The attackers first exploited the PeopleSoft vulnerability to gain unauthorized access to internet-facing systems. Since the vulnerability allowed remote code execution, they could run commands directly on compromised servers.

Establishing Persistence

After gaining access, the attackers installed customized remote administration tools designed to maintain long-term control over the environment.

Persistence mechanisms are important because they allow attackers to regain access even if administrators discover and remove some malicious components.

Internal Reconnaissance

Once inside the network, the threat actors conducted extensive reconnaissance activities.

Researchers observed attempts to collect information regarding:

• User accounts

• Network architecture

• Security tools

• Administrative privileges

• Connected systems

This information helps attackers understand the environment and identify high-value targets.

Lateral Movement

The attackers then moved laterally across the network, expanding their access to additional systems and resources.

Lateral movement is a common tactic used in advanced cyberattacks because compromising a single server rarely provides access to all valuable data.

Data Exfiltration

One of the primary goals of the campaign appeared to be data theft.

Researchers identified activities consistent with:

• Collection of sensitive records

• Compression of data

• Transfer of files to attacker-controlled infrastructure

The stolen information could include student records, employee information, financial documents, and other sensitive institutional data.

Extortion and Data Leak Threats

Evidence suggests that the attackers intended to use stolen data for extortion purposes.

Organizations that refuse to cooperate with extortion demands often face threats of public exposure through data leak websites operated by cybercriminal groups.

Technical Analysis and Detection Guidance

As part of their investigation, Google Threat Intelligence Group (GTIG) and Mandiant provided valuable insights into how organizations can identify potential compromise related to the ShinyHunters campaign. Since attackers exploited a zero-day vulnerability in Oracle PeopleSoft, security teams are encouraged to proactively review logs, inspect server files, and monitor network activity for signs of unauthorized access.

Monitor Suspicious HTTP Requests

One of the first steps in investigating potential exploitation attempts is reviewing web server logs for suspicious requests targeting vulnerable PeopleSoft components.

Example Log Hunting Commands

grep "POST /PSEMHUB/hub" access.log

grep "POST /PSIGW/HttpListeningConnector" access.log

These requests may indicate attempts to interact with vulnerable PeopleSoft services and should be investigated further.

Detecting Unexpected JSP Files

Following successful exploitation, attackers may deploy malicious JSP files that function as web shells, allowing persistent remote access to the compromised server.

Example Command

find /path/to/PSEMHUB.war -name "*.jsp"

Administrators should carefully review any JSP files discovered during the search and verify whether they belong to the official Oracle PeopleSoft installation.

Identifying Recently Modified Files

Threat actors frequently create or modify files after obtaining access to a system.

Example Command

find /path/to/peoplesoft -type f -mtime -30

This command helps identify files modified within the last 30 days and can assist investigators in locating suspicious activity.

Monitoring Authentication Logs

Unusual login behavior may indicate compromised credentials or unauthorized access.

Linux Systems

grep "Failed password" /var/log/auth.log

grep "Accepted password" /var/log/auth.log

Windows Systems

Get-WinEvent -LogName Security

Investigators should pay close attention to logins occurring outside standard operating hours or originating from unfamiliar IP addresses.

Searching for Web Shell Indicators

Web shells often contain functions that allow attackers to execute operating system commands remotely.

Example Commands

grep -Ri "Runtime.getRuntime" /path/to/webroot

grep -Ri "ProcessBuilder" /path/to/webroot

The presence of these functions in unexpected locations may warrant further investigation.

Monitoring Outbound Network Connections

Data exfiltration typically generates unusual outbound network traffic.

Example Commands

netstat -antp

ss -tunap

Organizations should review connections to unknown IP addresses and investigate any unusual data transfers.

Why Educational Institutions Were the Primary Targets

One of the most interesting findings from Google's investigation was the overwhelming focus on the education sector.

Researchers reported that approximately 68% of identified targets were educational institutions.

Why Universities Are Attractive Targets

Educational organizations store massive amounts of sensitive information, including:

• Student records

• Academic transcripts

• Financial aid information

• Research data

• Employee records

• Identity documents

Additionally, universities often manage large and decentralized IT environments consisting of:

• Multiple campuses

• Thousands of users

• Diverse hardware and software systems

• Open research networks

These factors can make cybersecurity management significantly more challenging compared to traditional corporate environments.

Valuable Research Data

Many universities conduct cutting-edge research in fields such as:

• Artificial Intelligence

• Biotechnology

• Healthcare

• Defense-related technologies

Such information can be highly valuable to cybercriminals and nation-state actors alike.

Potential Impact of the Attack

The consequences of successful exploitation can be severe.

Data Breaches

Organizations may lose control of sensitive personal and institutional data.

This information can later be used for:

• Identity theft

• Fraud

• Phishing attacks

• Blackmail

Operational Disruption

Compromised systems can affect day-to-day operations, resulting in:

• System outages

• Delayed services

• Reduced productivity

Financial Losses

The financial impact can include:

• Incident response costs

• Legal expenses

• Regulatory fines

• Security upgrades

Reputational Damage

Educational institutions rely heavily on trust. Public disclosure of a cyberattack can damage reputation and affect future enrollment, partnerships, and funding opportunities.

The Growing Threat of Zero-Day Exploits

The ShinyHunters campaign is part of a broader trend involving increased exploitation of zero-day vulnerabilities.

Cybercriminal groups are investing more resources into discovering and purchasing previously unknown vulnerabilities because they provide a significant advantage over defenders.

Recent years have seen a steady rise in attacks involving:

• Enterprise software

• Cloud infrastructure

• Identity management systems

• Remote access technologies

Security experts warn that organizations should assume that sophisticated attackers may eventually bypass traditional defenses and should focus on rapid detection and response capabilities.

Recommended Security Measures

Cybersecurity experts recommend several immediate actions for organizations using Oracle PeopleSoft.

Apply Security Updates

Organizations should deploy Oracle's latest patches as quickly as possible.

Conduct Threat Hunting

Security teams should proactively search for indicators of compromise within their environments.

Strengthen Authentication

Implementing Multi-Factor Authentication (MFA) can significantly reduce the risk of unauthorized access.

Restrict External Access

Organizations should limit internet exposure of critical administrative systems whenever possible.

Monitor Logs and Alerts

Continuous monitoring helps identify suspicious activity before attackers can achieve their objectives.

Review Incident Response Plans

Every organization should have a tested incident response strategy capable of handling sophisticated attacks.

Lessons for the Cybersecurity Community

This incident highlights several important cybersecurity lessons:

1. Critical vulnerabilities can emerge without warning.

2. Attackers increasingly target enterprise applications.

3. Educational institutions remain attractive targets.

4. Early detection is as important as prevention.

5. Continuous monitoring is essential for modern cybersecurity.

Organizations that rely solely on patching may still be vulnerable during the window between vulnerability discovery and patch deployment.

Conclusion

The discovery of the ShinyHunters campaign targeting Oracle PeopleSoft users underscores the growing complexity of modern cyber threats. By exploiting a critical zero-day vulnerability, attackers were able to compromise organizations before security updates became available, demonstrating the effectiveness of advanced attack techniques.

The heavy focus on educational institutions further highlights the value cybercriminals place on sensitive academic and personal information. As cyber threats continue to evolve, organizations must adopt a proactive security posture that combines vulnerability management, threat intelligence, continuous monitoring, and rapid incident response.

The incident serves as a powerful reminder that cybersecurity is no longer just an IT concern—it is a critical business and organizational priority that affects every sector of society.