Google links ShinyHunters to Oracle PeopleSoft zero-day extortion campaign targeting universities

Published: 12 June 2026
Oracle office building/Shutterstock
Oracle office building/Shutterstock

Alphabet's cybersecurity unit Mandiant and Google Threat Intelligence Group said Thursday they had identified an active compromise and extortion campaign targeting Oracle's PeopleSoft enterprise software, which they attributed to the hacking group ShinyHunters.

Key takeaways:
  • Google’s Mandiant says ShinyHunters ran an active extortion campaign targeting Oracle PeopleSoft.
  • Over 100 organizations were notified, most in the US higher education sector.
  • Hackers exploited a zero-day vulnerability before Oracle issued a fix.
  • Attackers used disguised cloud tools and staging infrastructure to move inside systems.
  • Campaign focused heavily on universities and enterprise systems, including HR and finance platforms.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The campaign took place between May 27 and June 9, Google said in a blog.

ADVERTISEMENT

PeopleSoft is an enterprise resource planning suite used by organizations to manage core business functions including human resources, finance and supply-chain operations.

After becoming aware of active scanning and exploitation, Google said it notified more than 100 organizations whose IP addresses correlated with potentially vulnerable endpoints. Most were based in the U.S., and 68% were in the higher education sector.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Researchers found that the attackers hosted customized MeshCentral agents disguised as legitimate cloud endpoints, which were used to run administrative command queries.

These agents were deployed via attacker-controlled staging infrastructure using binaries impersonating cloud services and connected back to a command-and-control domain designed to mimic Microsoft Azure infrastructure.

As the activity occurred before Oracle issued a security advisory on June 10, the hackers were able to exploit the vulnerability as a "zero-day" flaw, meaning there was no patch available at the time of the attacks.

shinyhunters_notice
ShinyHunters DLS Post showing Peoplesoft victim added June 9, 2026. Image by Google.

The attackers also leveraged access to internal PeopleSoft configuration files, WebLogic server settings, and process scheduler configurations to map enterprise environments and enable lateral movement within compromised networks.

ADVERTISEMENT

ShinyHunters is a hacking group with a history of targeting global companies for extortion. Last month, the group struck a deal with Instructure, the parent company of education tool Canvas, to secure stolen student and school data.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked