Mandiant and Google Threat Intelligence Group (GTIG) have issued an urgent warning about an active exploitation campaign targeting Oracle PeopleSoft infrastructure, attributing the attacks to UNC6240, publicly known as ShinyHunters.
The group exploited a critical zero-day remote code execution vulnerability, CVE-2026-35273 (CVSS 9.8), before Oracle published its security advisory on June 10, 2026, making every successful intrusion during the campaign window a confirmed zero-day attack.
Active exploitation was observed between May 27 and June 9, 2026, with attackers targeting the Environment Management Hub (PSEMHUB) endpoints within Oracle PeopleSoft’s Environment Management component.
GTIG notified over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. Approximately 68 percent of affected organizations were higher education institutions, universities, and colleges, primarily based in the United States.
The campaign surfaced after security researcher @nahamike01 on X disclosed open attacker directories on staging servers, enabling GTIG to perform detailed triage of ShinyHunters’ operational infrastructure.
ShinyHunters deployed staging infrastructure across five sequential IP addresses, 142.11.200.186 through 142.11.200.190, running Python SimpleHTTP servers on port 8888 to host payloads.
The attackers then deployed customized MeshCentral remote management agents disguised as legitimate Microsoft Azure services.
Agent binaries meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, and meshagent64-v2.exe were hardcoded to beacon to a C2 server at wss://azurenetfiles[.]net:443/agent.ashx.
The domain deliberately mimics Microsoft Azure NetApp Files to evade detection. MeshCentral setup began on May 27 at 22:14 UTC, with SSL certificate automation via acme-client following eleven minutes later.
Using MeshCentral’s CLI utility meshctrl.js, attackers executed reconnaissance commands on compromised hosts, reading psappsrv.cfg, inspecting WebLogic config.xml files, and enumerating internal mount points and /etc/hosts entries to map Oracle PeopleSoft configurations.
ShinyHunters then deployed a custom propagation script [victim_abbreviation]_fanout.sh that automated SSH credential spraying against internal PeopleSoft nodes parsed from /etc/hosts.
Upon successful authentication, the script planted an extortion marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in WebLogic and Process Scheduler directories.
Exfiltrated data was compressed using zstd before the attackers concluded operations by establishing an SSH connection to 176.120.22.24, the public mirror of the ShinyHunters Data Leak Site. Stolen data from multiple victims was published to the DLS on June 9, 2026.
Mitigation
Oracle recommends disabling the EMHub service in multi-server configurations or removing the PSEMHUB application entirely in single-server deployments.
Organizations unable to disable EMHub should immediately block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the firewall or network perimeter WAF body-inspection rules alone are insufficient.
Security teams should:
- Audit PIA WebLogic access logs for POST requests to
/PSEMHUB/hubfrom external IPs - Scan the
PSEMHUB.war/directory for unauthorized.jspwebshells - Monitor outbound SMB traffic (TCP 445) from PeopleSoft servers as a potential indicator of NetNTLM hash coercion
- Treat unexpected directories named
logs,persistantstorage, orscratchpadunder PSEMHUB paths as compromise indicators
Indicators of Compromise (IOCs)
| Indicator | Type | Category | Description |
|---|---|---|---|
| 142.11.200.186–190 | IP Address | Staging & C2 | Attacker staging servers |
| azurenetfiles[.]net | Domain | C2 Network | C2 masquerading as Microsoft Azure NetApp Files |
| meshagent64-azure-ops.exe | File Hash | Staging Payload | Pre-configured Windows agent — f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc |
| meshagent64-v2.exe | File Hash | Staging Payload | Pre-configured Windows agent — d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f |
| meshagent32-azure-ops.exe | File Hash | Staging Payload | Pre-configured Windows agent — c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f |
| meshagent (Linux) | File Hash | Staging Payload | Unconfigured Linux agent — 68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309 |
| .bash_history | File Hash | Attacker Artifact | Attacker command history — 2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35 |
| README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT | Filename | Extortion Marker | Dropped post-lateral movement |
| [victim]fanout.sh | Filename | Attacker Artifact | Lateral movement propagation script |
Note: All IP addresses and domains are intentionally defanged to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
No Comment! Be the first one.