ShinyHunters UNC6240 Exploits CVE-2026-35273 Zero-Day in Oracle PeopleSoft, Hits 68% Higher Education Targets

The campaign centered on exposed /PSEMHUB/hub endpoints reachable over HTTP. Attackers deployed MeshCentral agents disguised as Azure binaries, used [victim]_fanout.sh for SSH lateral movement via hardcoded credentials, and exfiltrated compressed archives via outbound SSH to azurenetfiles.net. Mandiant identified five sequential IPs running SimpleHTTP on port 8888 with exposed .bash_history and staging files. This infrastructure exposure allowed public mapping of the operation.

Mandiant notified over 100 organizations matching vulnerable endpoints, with 68 percent in higher education. The University of Nottingham breach exposed 455,000 records including passport numbers and disability data. Oracle's mitigation requires disabling PSEMHUB or blocking /PSEMHUB/* paths, yet WebLogic access logs and XMLDecoder persistence in envmetadata remain viable detection points. Academic environments show higher exposure rates due to legacy multi-server deployments and delayed patching cycles.

The pattern reveals systematic targeting of higher education infrastructure where enterprise software like PeopleSoft is common yet perimeter controls lag. ShinyHunters shifted from credential dumps to direct zero-day extortion, leveraging the same under-monitored service exposure seen in prior education sector incidents. Official attribution to UNC6240 rests on tooling overlap rather than independent infrastructure confirmation.

Next steps include perimeter blocking of /PSIGW/HttpListeningConnector, log review for external POSTs to PSEMHUB, and monitoring for additional leak site postings. Universities without support contracts face extended risk windows until patches propagate.