Cybercrime , Fraud Management & Cybercrime
Mandiant: 68% of Targets Were Higher Ed Institutions Running PeopleSoft (@chrisriotta) • June 15, 2026
The hacking group ShinyHunters exploited a zero-day vulnerability in Oracle PeopleSoft in an active extortion campaign impacting more than 100 organizations globally.
See Also: Why Cyberattackers Love 'Living Off the Land'
Researchers at Mandiant and Google's Threat Intelligence Group attributed the ongoing campaign to the financially motivated threat group in a blog post published Thursday. Researchers said they observed the activity between May 27 and June 9, and notified more than 100 organizations whose IP addresses matched with potentially vulnerable endpoints - with the majority of targets operating in the higher education sector.
Sixty-eight percent of the organizations Mandiant alerted were academic institutions, including universities and colleges worldwide. Several successfully blocked the activity or remediated the vulnerability, but some experienced compromise that resulted in stolen data being published on the ShinyHunters data leak site on June 9.
The campaign exploited a remote code execution vulnerability tracked as CVE-2026-35273, found within the environment management component of Oracle PeopleSoft. The flaw - which carries a CVSS score of 9.8 - allowed the attackers to achieve remote code execution without authentication, providing a direct path into the affected application infrastructure.
The vulnerability was used as a zero-day for the full duration of the campaign. Oracle published an advisory only after the activity began, according to the researchers - one day after stolen data from affected organizations first appeared on the ShinyHunters leak site.
ShinyHunters is a financially-motivated group with a history of large-scale data theft and extortion targeting organizations across a wide variety of sectors (see: Wave of ShinyHunters Extortion Drives Surge in Data Leaks).
Mandiant said the group deployed customized MeshCentral remote management agents disguised as authentic Microsoft Azure services to blend in with enterprise environments.
Researchers gained visibility into the full scope of attacker operations after a security researcher identified open directories on five sequential staging server IP addresses. The command history showed attackers used the MeshCentral tool to run administrative queries on compromised endpoints and identify additional application servers within victim networks.
ShinyHunters has focused its extortion operations on organizations that hold large volumes of potentially sensitive personal data, like schools and universities. The group previously leaked data stolen from Harvard and the University of Pennsylvania as part of earlier shakedown efforts targeting higher education (see: Harvard, UPenn Data Leaked in ShinyHunters Shakedown).
Mandiant urged organizations running Oracle PeopleSoft to immediately block external access to vulnerable endpoints and to audit WebLogic access logs for suspicious requests originating from external IP addresses. Researchers also recommended scanning the PSEMHUB web application directory for unexpected JSP files and reviewing filesystem paths for any unauthorized activity.