An active cyber compromise and extortion campaign has been identified targeting Oracle PeopleSoft application infrastructure. The activity occurred between May 27, 2026, and June 9, 2026, executing attacks prior to vendor disclosure. Over 100 global organizations were targeted (primarily based in the United States), with 68% belonging to the higher education sector. The operations directly led to data leaks published on the threat actor’s Data Leak Site (DLS).
Severity: Critical
Campaign Summary
Attack Timeline
| May 27, 22:14 UTC | Staging infrastructure stood up – MeshCentral v1.1.59 installed; Let’s Encrypt SSL automated for masquerading domain azurenetfiles.net |
| May 29, 18:46 UTC | Binary signing tooling checked (npm list global authenticode) – suggests signed payload delivery was planned |
| May 27 – Jun 8 | Active exploitation of PSEMHUB endpoints; internal recon, lateral movement via [victim]_fanout.sh; data exfiltrated and compressed with zstd |
| Jun 9, 2026 | Stolen data published on ShinyHunters DLS; attacker SSH’d to DLS mirror at 176.120.22[.]24; open staging directories discovered by @nahamike01 |
| Jun 10, 2026 | Oracle publishes security advisory for CVE-2026-35273 one day after data leak |
Ttps
| Initial access | RCE via CVE-2026-35273 — unauthenticated POST to /PSEMHUB/hub |
| C2 masquerading | MeshCentral agents named meshagent*-azure-ops.exe, C2 via wss://azurenetfiles[.]net:443/agent.ashx |
| Internal recon | Parsed psappsrv.cfg, config.xml, /etc/hosts, mount points to map PeopleSoft infrastructure |
| Lateral movement | SSH credential spraying via sshpass with hardcoded user/pass lists; fallback to key-based auth |
| Persistence / defacement | Webshells (.jsp) dropped under PSEMHUB.war; README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT planted in WebLogic dirs |
| SSRF chaining | Requests to /PSIGW/HttpListeningConnector with loopback IPs to bypass access controls |
| NetNTLM capture | Coerced outbound SMB (TCP 445) from PeopleSoft hosts to capture machine-account hashes |
| Exfiltration | Staged data compressed with zstd, uploaded to ShinyHunters DLS via SSH |
| XMLDecoder persistence | Modified .xml files in /envmetadata/data/environment/ for RCE on application restart |
Data At Risk (Per Dls Post)
Billing and payment records, credit card details, student financial data, campus portal exports, payer contact info, transaction amounts, IP addresses, full names, home addresses, postcodes, email addresses, phone numbers, dates of birth, internal campus data. 190 GB+ compressed
Recommendations
- Deploy Oracle’s critical security alert patch for CVE-2026-35273.
- If your organization is running older, unsupported versions of PeopleTools that may also carry components vulnerable to this zero-day chain, immediately upgrade to a supported, patched release.
- Audit PIA WebLogic access logs for external-IP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector. Pay close attention to loopback mappings (127.0.0.1, localhost) to rule out Server-Side Request Forgery (SSRF) exploitation.
- Alert on outbound TCP 445 (SMB) from PeopleSoft hosts to external IPs — indicates potential NetNTLM hash coercion attempt.
- Remove PSEMHUB app (single-server) or disable EMHub service (multi-server). If unavailable, block /PSEMHUB/* and /PSIGW/HttpListeningConnector at firewall/perimeter — WAF body inspection alone is insufficient.
- Check PSEMHUB.war for unexpected .jsp files that are not part of the shipped product.
- Inspect …/PSEMHUB.war/envmetadata/transactions/ for unauthorized folders, files, or binary drops.
- Look for unexpected directories named logs, persistantstorage, or scratchpad under the PSEMHUB directories.
- Check /envmetadata/data/environment/ for recently created or modified .xml files.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/3d425ca4300cf14e4a1af21d226aac99627567079711dedaec5d761d37765e99/iocs
Sources:
- https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
- https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.
