A newly disclosed Oracle PeopleSoft zero-day became the weapon of choice in a recent ShinyHunters extortion campaign that primarily targeted universities and other educational institutes.Attackers exploited the critical remote code execution (RCE) flaw in PeopleSoft’s Environment Management component that Oracle started warning customers about on June 10, 2026. In an advisory, the company urged immediate patching with no indication that the flaw is being actively exploited.Google Cloud’s threat intelligence team (GTIG) said the attack unfolded between May 27 and June 9, before Oracle publicly acknowledged the issue. Google said it notified more than 100 organizations whose internet facing systems appeared potentially exposed, with 68% of identified targets belonging to the higher education sector.“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS (Data Leak Site).” GTIG said in a blog post.Oracle did not immediately respond to CSO’s request for comments.ShinyHunters, or groups trying to use their name, reportedly posted downloadable evidence of the attack on their DLS on June 9. The post claimed compromised data included “over 40 GB of billing and payment records, credit card and payment details, student finance data, and campus portal exports.”In a follow up post on June 11, the attackers threatened data leak if the victims contacted by them did not respond within “the deadline.”James Davison, chief strategy officer at Pathlock, said the incident reflects an evolving threat landscape. “The Oracle PeopleSoft breach is an example of the new kind of attacks every ERP will face in today’s new agentic world,“ he said, pointing to the ease of attacks in the AI era. “Companies need to reassess their ERP security and controls and adapt, because they are exposed.”PeopleSoft flaw gave attackers a head startThe campaign relied on CVE-2026-35273, a critical vulnerability in Oracle PeopleSoft’s Environment Management component, carrying a CVSS score of 9.8 out of 10, that allows unauthenticated RCE on vulnerable internet facing systems.According to Oracle’s advisory the vulnerability affects PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and mitigations are only available for supported versions. Earlier versions, which could be affected by the flaw, were advised to be upgraded to supported versions.After exploiting CVE-2026-35273 to gain initial access, the attacker moved to establish persistence and maintain remote control over compromised systems. Google researchers observed UNC6240, a cluster associated with ShinyHunters, deploying a customized version of the MeshCentral open-source remote monitoring and management (RMM) platform. They did so by disguising the platform as legitimate Microsoft Azure services.“(MeshCentral) agent is software that runs on remote devices to allow for remote management across various operating systems, including Windows, Linux, macOS, and FreeBSD,” the researchers said. “Static analysis indicates these agents were hardcoded to establish communication with the command and control (C2) server wss://azurenetfiles.net:443/agent.ashx.”Once installed, the tool allowed operators to execute commands remotely and continue interacting with infected environments.Attackers left the lights onPart of Google’s investigation was aided by operational mistakes made by the attackers themselves. The campaign first drew broader attention after a security researcher, known on X as @nahamike01, reported discovering internet-exposed infrastructure from the operation.“ShinyHunters exposed several directories revealing ongoing targeting of PeopleSoft environments,” the researcher said in an X post. “Also visible were staging materials, including MeshCentral agents, and a defacement and credential spray script.”Google said exposed attacker directories highlighted by @nahamike01 helped its team analyse the contents including staging materials, customized agents, and attacker command histories. The directories were exposed across five sequential IP addresses (142.11.200[.]186-190), making them the primary indicators of compromise (IOCs).Google urged organizations to apply Oracle’s fixes for CVE-2026-35273 and review PeopleSoft deployments for indicators associated with the campaign. The researchers further advised organizations to investigate privileged access, enable comprehensive logging, and strengthen monitoring around unauthorized MeshCentral installations.“This attack shows that traditional perimeter security and IdP-level authentication are necessary, but not sufficient,” Davison said. “Modern ERP security requires a layered approach that combines preventive controls, continuous monitoring, and visibility into user activity. The visibility into user activity is key here, behavioral monitoring to spot exceptions isn’t a ‘nice to have’ anymore.”