ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit

    Monday, June 15, 2026 In: Threat Research Print

    Date: 06/15/2026

    Severity: Medium

    Summary

    ShinyHunters exploited the critical zero-day vulnerability CVE-2026-35273 in Oracle PeopleSoft's Environment Management component to compromise organizations, with a strong focus on the higher education sector. Between late May and early June 2026, the attackers gained remote code execution on vulnerable systems, deployed customized MeshCentral agents disguised as legitimate Microsoft Azure services for persistent access and lateral movement, and stole sensitive data from affected organizations. The campaign impacted over 100 potentially vulnerable organizations, around 68% of which were in education, and culminated in the publication of stolen data on the ShinyHunters data leak site as part of an extortion operation.

    Indicators of Compromise (IOC) List 

    Domains/URLs

    azurenetfiles.net

    IP Address

    142.11.200.186

    142.11.200.187

    142.11.200.188

    142.11.200.189

    142.11.200.190

    Hash

    2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35

    f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc

    d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f

    c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f

    68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309

    File names

    README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT

    _fanout.sh

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 :

    domainname like "azurenetfiles.net" or url like "azurenetfiles.net" or siteurl like "azurenetfiles.net"

    Detection Query 2 :

    dstipaddress IN ("142.11.200.186","142.11.200.187","142.11.200.188","142.11.200.189","142.11.200.190") or srcipaddress IN ("142.11.200.186","142.11.200.187","142.11.200.188","142.11.200.189","142.11.200.190")

    Detection Query 3 :

    sha256hash IN ("2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35","f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc","d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f","c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f","68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309")

    Detection Query 4 :

    resourcename = "Windows Security" and eventtype = "4663” AND (objectname like "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" or objectname like "_fanout.sh")

    Detection Query 5 :

    technologygroup = "EDR" AND (objectname like "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" or objectname like "_fanout.sh")

    Reference:    

    https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit       


    Tags

    Threat ActorVulnerabilityShinyhunterExploitCVE-2026EducationMicrosoftData StealerExtortion

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.