ShinyHunters extortion gang targets global universities through critical oracle zero-day vulnerability

The notorious cybercrime syndicate ShinyHunters has launched a widespread extortion campaign against higher education institutions by exploiting a severe, unpatched vulnerability in Oracle's widely used PeopleSoft enterprise software. According to threat intelligence researchers at Google's Mandiant, the attacks occurred between May 27 and June 9, 2026, targeting an underlying flaw in the software before Oracle could release a patch.

The vulnerability, tracked as CVE-2026-35273, carries a critical severity score of 9.8 out of 10 and allows hackers to execute remote code on vulnerable servers without requiring any authentication or user interaction.

Widespread impact on higher education

Google reported that it notified more than 100 organizations whose systems were potentially exposed to active scanning and exploitation. The campaign disproportionately impacted the education sector, with universities and colleges comprising 68% of the targeted entities, the majority of which are located in the United States.

The University of Nottingham in the United Kingdom has already confirmed it fell victim to the breach, acknowledging that a "significant amount of data" from its student records system was compromised. On June 9, ShinyHunters began publishing stolen archives to their dark web data leak site, threatening to release massive troves of sensitive student finance data, billing records, and personal identification details unless ransoms are paid.

Sophisticated attack mechanics

To carry out the campaign, the threat actors, tracked by Mandiant under the cluster UNC6240, demonstrated advanced intrusion tactics:

• Deceptive remote access: The attackers deployed customized versions of MeshCentral, an open-source remote management tool, deliberately disguising the software as legitimate Microsoft Azure services to evade detection.

• Automated lateral movement: Once inside a network, the group used specialized scripts to spray credentials across internal hosts, rapidly expanding their access across compromised campus infrastructure.

• Defacement markers: During the intrusion, hackers left stark text files on compromised servers titled README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.

• Data exfiltration: Stolen information was compressed and funneled out through secure SSH connections directly to servers hosting the public mirror of the ShinyHunters leak site.

Ongoing risk and remediation

Because Oracle did not publish a security advisory and issue mitigation guidance until June 10, the flaw operated as a zero-day vulnerability throughout the entirety of the primary attack window. Cybersecurity authorities, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have now added the flaw to their Known Exploited Vulnerabilities catalog.

Oracle is urgently advising all organizations running PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62) to either apply the latest security patches immediately or severely restrict external network access to the vulnerable Environment Management Hub components to prevent further compromise.