Post by Mandiant (part of Google Cloud)

🚨 An active extortion campaign attributed to UNC6240 (ShinyHunters) is targeting Oracle PeopleSoft application infrastructure. The threat actors exploited CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component, as a zero-day prior to Oracle's June 10, 2026, advisory. Our analysis indicates this campaign heavily targets the higher education sector, which comprised 68 percent of the organizations we notified. UNC6240 utilized customized MeshCentral agents masquerading as legitimate Microsoft Azure services to establish command and control. The attackers: • Conducted targeted internal reconnaissance • Mapped Oracle PeopleSoft configurations • Deployed a custom lateral movement script to automate SSH credential spraying and propagate defacement markers across internal hosts • Compressed and exfiltrated stolen data to the ShinyHunters Data Leak Site 🔒 Immediate Defensive Action Required: Organizations should immediately disable the Environment Management Hub (EMHub) service or completely remove the PSEMHUB application. Notes that restricting these endpoints is non-breaking for standard end-user operations. Get our full technical analysis, command history breakdown, and comprehensive remediation guidance here: https://goo.gle/4xoXdEy