Targets Education Sector with Oracle PeopleSoft Exploit

Between May 27 and June 9, 2026, UNC6240 (ShinyHunters) conducted an active compromise and extortion campaign targeting Oracle PeopleSoft application infrastructure. The threat actor exploited CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component, as a zero-day before Oracle's June 10, 2026 advisory. Over 100 organizations were potentially affected, with 68 percent operating in higher education and most based in the United States. Attackers deployed customized MeshCentral agents masquerading as Microsoft Azure services, established C2 infrastructure at azurenetfiles.net, and used lateral movement scripts to propagate across internal networks. The campaign culminated in data exfiltration and publication of stolen data on the ShinyHunters Data Leak Site on June 9, 2026. Compromised systems received defacement markers and extortion notices.

Pulse ID: 6a2b24138a34132bc69a0072
Pulse Link: https://otx.alienvault.com/pulse/6a2b24138a34132bc69a0072
Pulse Author: AlienVault
Created: 2026-06-11 21:09:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #CyberSecurity #Education #Extortion #InfoSec #Microsoft #NET #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #UnitedStates #Vulnerability #ZeroDay #bot #AlienVault