Who was responsible for the cyberattack targeting the higher education sector in May-June 2026?

The attack was attributed to the threat actor group ShinyHunters.

What vulnerability did the attackers exploit during this campaign?

They exploited CVE-2026-35273, a critical remote code execution vulnerability in Oracle PeopleSoft's Environment Management component.

What was the impact of the attack on the affected institutions?

The attack resulted in widespread data theft, extortion, and public data leaks.

How did ShinyHunters gain control over the affected systems?

Upon successful exploitation of CVE-2026-35273, they deployed a customized variant of MeshCentral remote access tool.

What is ShinyHunters known for in the cybercriminal world?

ShinyHunters is a prolific financially motivated cybercriminal group, known for high-profile data breaches, extortion, and the sale of stolen data.

ShinyHunters Exploit Zero-Day Vulnerability in Oracle PeopleSoft to Launch Cyberattack on Higher Education Sector

A highly coordinated cyberattack campaign targeting over 100 higher education organizations, including 68% of US academic institutions, exploited a critical remote code execution vulnerability (CVE-2026-35273) in Oracle PeopleSoft. The attack resulted in widespread data theft and extortion.

A highly coordinated cyberattack campaign targeting the higher education sector has been attributed to the notorious threat actor group ShinyHunters. The attack exploited a previously unknown zero-day vulnerability in Oracle PeopleSoft, allowing attackers to gain full control over affected systems and resulting in widespread data theft, extortion, and public data leaks.

The campaign, which took place between late May and early June 2026, impacted over 100 organizations, with approximately 68% being academic institutions in the United States. The exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component of Oracle PeopleSoft, enabled unauthenticated attackers to execute arbitrary code as the application user.

What Happened

The attack chain initiated with the identification of internet-exposed PeopleSoft instances, specifically those running vulnerable versions of the PSEMHUB component. The attackers exploited CVE-2026-35273 by sending crafted POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector, achieving arbitrary code execution as the application user.

Upon successful exploitation, ShinyHunters deployed a customized variant of the MeshCentral remote access tool, masquerading as legitimate Azure services. The malicious agents communicated with a command-and-control (C2) infrastructure hosted at azurenetfiles.net over WebSocket Secure (wss://azurenetfiles.net:443/agent.ashx). The attackers used the MeshCentral CLI (meshctrl.js) to run administrative command queries and deploy a custom lateral movement and defacement script, [victim_abbreviation]_fanout.sh.

Background and Context

ShinyHunters is a prolific financially motivated cybercriminal group, first emerging in 2020 and known for high-profile data breaches, extortion, and the sale of stolen data on underground forums and dedicated leak sites. The group operates with a hybrid model, combining ransomware-style extortion with data theft and public shaming.

The exploitation of CVE-2026-35273 is consistent with ShinyHunters' tactics, techniques, and procedures (TTPs), which include rapid exploitation of newly discovered vulnerabilities, advanced lateral movement techniques, and a preference for targeting sectors with high-value personal and financial data. The group's operations are marked by the use of custom tooling, obfuscation, and a willingness to exploit zero-day vulnerabilities.

Why it Matters to the Industry

The ShinyHunters campaign highlights the increasing sophistication of threat actors in leveraging zero-day vulnerabilities against critical enterprise applications. The exploitation of CVE-2026-35273 demonstrates the importance of robust vulnerability management and incident response capabilities, particularly for organizations running Oracle PeopleSoft.

For adult-industry platforms and operators, this attack serves as a reminder of the need to prioritize cybersecurity measures, including regular vulnerability scanning, patching, and penetration testing. The use of MeshCentral agents masquerading as legitimate cloud endpoints also underscores the importance of monitoring network traffic for suspicious activity and implementing robust access controls.

What Comes Next

The ShinyHunters campaign has significant implications for organizations running Oracle PeopleSoft, particularly in the higher education sector. As a result of this attack, it is essential for these organizations to take immediate action to defend themselves against similar attacks in the future.

Mandiant and Google Threat Intelligence Group (GTIG) recommend that organizations running Oracle PeopleSoft take the following immediate actions: implement additional authentication checks, restrict access to sensitive components, and monitor network traffic for suspicious activity. Additional remediation and hardening guidance is included in the Mandiant blog post.

Key Facts

The ShinyHunters campaign targeted over 100 organizations, with approximately 68% being academic institutions in the United States.
The attack exploited CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component of Oracle PeopleSoft.
ShinyHunters deployed a customized variant of the MeshCentral remote access tool, masquerading as legitimate Azure services.
The attackers used the MeshCentral CLI to run administrative command queries and deploy a custom lateral movement and defacement script.
Mandiant and Google Threat Intelligence Group (GTIG) recommend that organizations running Oracle PeopleSoft take immediate action to defend themselves against similar attacks in the future.