Summary

Security researchers have identified an active exploitation and extortion campaign attributed to the threat actor UNC6240 (ShinyHunters) targeting Oracle PeopleSoft infrastructure. The campaign exploits CVE-2026-35273, a critical Remote Code Execution (RCE) vulnerability (CVSS 9.8) affecting the Environment Management component (EMHub/PSEMHUB).

The attacks were observed between 27 May 2026 and 9 June 2026, prior to Oracle's public advisory, indicating zero-day exploitation. Successful compromises have resulted in unauthorized remote access, internal reconnaissance, lateral movement, data theft, and publication of stolen data on the ShinyHunters Data Leak Site (DLS).

Organizations operating Oracle PeopleSoft environments should treat this vulnerability as critical and implement immediate mitigation measures.

Affected Systems and/or Applications

The following systems are considered at risk:

• Oracle PeopleSoft deployments with the Environment Management Hub (EMHub/PSEMHUB) enabled.
• PeopleSoft Internet Architecture (PIA) servers exposing:
  • /PSEMHUB/*
  • /PSEMHUB/hub
  • /PSIGW/HttpListeningConnector
• Oracle WebLogic servers hosting PeopleSoft applications.
• Multi-server and single-server PeopleSoft deployments where EMHub is enabled or externally accessible.
• Organizations with internet-accessible PeopleSoft administrative interfaces, particularly those not yet patched against CVE-2026-35273 (Affected versions: PeopleSoft Enterprise PeopleTools, versions 8.61, 8.62)

Technical Details

The primary attack vector focuses on externally accessible Environment Management Hub (PSEMHUB) endpoints, particularly /PSEMHUB/hub, as well as the /PSIGW/HttpListeningConnector endpoint. Successful exploitation enables attackers to gain unauthorized code execution capabilities on vulnerable PeopleSoft servers, providing an initial foothold into the target environment.

Following successful compromise, the attackers establish persistence by deploying customized MeshCentral agents disguised as legitimate Microsoft Azure-related services. These binaries use filenames such as meshagent32-azure-ops.exe and meshagent64-azure-ops.exe to blend into enterprise environments and are configured to communicate with attacker-controlled command-and-control (C2) infrastructure hosted at azurenetfiles.net, a domain intentionally designed to mimic legitimate Microsoft Azure NetApp services. The deployed agents enable remote administration capabilities, allowing the attackers to execute commands and maintain persistent access to compromised systems.

Once persistence has been established, the threat actors perform extensive internal reconnaissance to identify valuable systems and map the PeopleSoft infrastructure. This activity includes inspecting Process Scheduler configuration files (psappsrv.cfg), reviewing WebLogic configuration files (config.xml), examining mounted filesystems, identifying internal network hosts through /etc/hosts, and collecting system and network configuration details. These reconnaissance activities enable attackers to understand the architecture of the victim environment and identify opportunities for lateral movement.

The campaign also demonstrates sophisticated lateral movement capabilities through the deployment of a custom propagation script named [victim_abbreviation]_fanout.sh. The script automates SSH-based credential spraying against internally discovered hosts using predefined administrative usernames and passwords. Upon successful authentication, it copies a defacement and extortion marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into multiple PeopleSoft WebLogic and Process Scheduler directories across the environment. The script also verifies successful propagation by remotely checking for the presence of the deployed marker files, effectively enabling automated distribution throughout the compromised infrastructure.

In parallel with lateral movement, the attackers prepare collected data for exfiltration by compressing stolen files and directories using zstd compression utilities before transferring them outside the victim environment. Analysis of the exposed attacker infrastructure indicates outbound connections to systems hosting the public mirror of the ShinyHunters Data Leak Site (DLS), where victim data was subsequently published as part of extortion operations.

Investigation of exposed attacker staging infrastructure further revealed evidence of carefully prepared command-and-control operations, including installation of MeshCentral version 1.1.59, automated provisioning of TLS certificates through Let's Encrypt, deployment of preconfigured remote management agents, and the use of command-line utilities to execute administrative commands across compromised endpoints. The infrastructure also contained attacker command histories documenting reconnaissance activities, configuration mapping, propagation script deployment, and exfiltration preparation, providing strong evidence of an organized and systematic intrusion methodology.

Indicators of Compromise (IOCs)

Network Indicators

• 142.11.200.186
• 142.11.200.187
• 142.11.200.188
• 142.11.200.189
• 142.11.200.190
• azurenetfiles.net

Known Malicious Files

• meshagent32-azure-ops.exe
• meshagent64-azure-ops.exe
• meshagent64-v2.exe
• meshagent
• README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
• [victim_abbreviation]_fanout.sh

Notable Behaviors

• HTTP POST requests to /PSEMHUB/hub
• HTTP POST requests to /PSIGW/HttpListeningConnector
• Unexpected .jsp files within the PSEMHUB.war directory
• Unauthorized files under envmetadata/transactions/
• Unexpected logs, persistantstorage, or scratchpad directories
• Recently created or modified XML files under envmetadata/data/environment/
• Outbound SMB (TCP 445) connections from PeopleSoft servers to external destinations
• Suspicious outbound SSH connections and compressed archive creation for data exfiltration

Mitigation

Organizations should immediately implement the following defensive measures:

1. Disable or Restrict EMHub

• Disable the Environment Management Hub (EMHub) where operationally feasible.
• For single-server deployments, remove the PSEMHUB application if recommended by Oracle.
• If disabling is not possible, block external access to:
  • /PSEMHUB/*
  • /PSEMHUB/hub
  • /PSIGW/HttpListeningConnector

2. Apply Oracle Security Updates

• Immediately apply Oracle's security updates addressing CVE-2026-35273.
• Ensure all supported systems receive the latest Critical Patch Updates (CPU) and Security Alerts.

3. Review Logs

Inspect PIA WebLogic access logs for: - External HTTP POST requests to /PSEMHUB/hub - Requests to /PSIGW/HttpListeningConnector - SSRF indicators involving: - 127.0.0.1 - localhost - ::1 - Internal IP address ranges

4. Perform Host-Based Hunting

Inspect PeopleSoft servers for: - Unexpected .jsp files under: - <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/ - Unauthorized content in: - PSEMHUB.war/envmetadata/transactions/ - Unexpected directories such as: - logs - persistantstorage - scratchpad - Newly created or modified XML files under: - envmetadata/data/environment/

References

• Oracle Critical Patch Updates: https://www.oracle.com/security-alerts/?source=:em:gbc:ie:cpo:::RC_WWMK210714P00017:SEV400454243#CriticalPatchUpdates
• Oracle Critical Security Patch Updates: https://www.oracle.com/security-alerts/?source=:em:gbc:ie:cpo:::RC_WWMK210714P00017:SEV400454243#CriticalSecurityPatchUpdates
• Vendor Advisory: Oracle Security Alert Advisory - CVE-2026-35273