Google: ShinyHunters Hit 100+ Orgs in PeopleSoft Zero‑Day; 68% Were US Universities

For cybersecurity professionals, the PeopleSoft zero‑day is a stark reminder that ERP systems are not just back‑office utilities—they are prime extortion targets. ShinyHunters’ methodical campaign, leveraging custom MeshCentral agents and lateral movement scripts, illustrates a growing trend of attackers treating enterprise applications like data goldmines. With Oracle’s patch still missing, understanding the attack chain and the group’s shifting focus toward education is critical for defense.

In a concerning development for enterprise security, Google has officially confirmed that the ShinyHunters hacker group exploited a critical zero-day vulnerability in Oracle PeopleSoft between May 27 and June 9, 2026. The flaw, tracked as CVE-2026-35273, allows unauthenticated remote code execution and affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, as well as PeopleSoft Enterprise Applications. Oracle released an out-of-band security advisory on June 11 but, notably, has only provided mitigations rather than a complete patch, heightening the urgency for thousands of organizations globally. The attacks focused disproportionately on the higher education sector, with Google notifying more than 100 global organizations of potential compromise, 68% of which were universities and colleges in the United States. The University of Nottingham is the first confirmed victim. This incident underscores the persistent threat posed by financially motivated cybercriminal groups and the growing risk to ERP systems that house sensitive HR, payroll, and financial data.

“

In a concerning development for enterprise security, Google has officially confirmed that the ShinyHunters hacker group exploited a critical zero-day vulnerability in Oracle PeopleSoft between May 27 and June 9, 2026.

PeopleSoft is a cornerstone of enterprise operations for large organizations, managing everything from employee records to supply chain logistics. The unauthenticated RCE nature of CVE-2026-35273 means that attackers can gain initial access without any credentials, making it particularly dangerous for internet-facing systems. ShinyHunters, designated UNC6240 by Google’s Threat Intelligence Group, is notorious for high‑volume data theft and extortion campaigns, previously targeting Salesforce customers in a similar fashion. The group’s claim of compromising approximately 300 PeopleSoft instances across 100 organizations suggests a well‑coordinated, automated attack campaign. Mandiant’s incident response teams corroborated the exploitation, with CTO Charles Carmakal issuing warnings about the zero‑day activity.

Technical details from Mandiant and Google’s joint research reveal a sophisticated attack chain. After gaining access via the zero‑day, threat actors deployed customized MeshCentral agents masquerading as legitimate cloud endpoints, which enabled persistent remote access and administrative command execution. They then used a custom lateral movement and defacement script named [victim_abbreviation]_fanout.sh to propagate within victim environments, indicating an intent not only to exfiltrate data but also to potentially disrupt operations or leave a visible calling card. The staging environments and use of legitimate remote management tools obscured malicious traffic, evading many traditional security controls.

The targeting of the education sector is notable. Universities often manage large, complex PeopleSoft implementations for student information, human resources, and financial management, yet they frequently operate with limited cybersecurity budgets and legacy infrastructure. Publicly, ShinyHunters hinted at the stolen data being used for extortion, a recurring modus operandi that involves threatening to leak sensitive personal and financial records unless a ransom is paid. For institutions that fall under regulations like GDPR or FERPA, such breaches can incur massive fines and reputational damage.