Emerging ThreatsData Breaches

ShinyHunters Breach Council of Europe in Oracle PeopleSoft Heist

Analyst 207||Source: TheRegister
Government office interior with computer screen displaying abstract database representation.

"We are currently investigating the matter and assessing the situation," a Council of Europe spokesperson told The Register.

ShinyHunters claims a 297 GB PeopleSoft haul and 429,000 files

Extortion group ShinyHunters says it breached the Council of Europe after exploiting a zero‑day in Oracle PeopleSoft, claiming to have stolen more than 297 GB of data and 429,000 files. According to a post on the group's data‑leak site reported by The Register, the pilfered records include HR and payroll records, payslips, purchase‑order records, CVs, and employees' salary, banking, tax, and medical records. A spokesperson for the cybercrime group told The Register that the Council is "yet another victim of the Oracle PeopleSoft heist."

Oracle PeopleSoft zero‑day: CVE‑2026‑35273 and unanswered questions

The vulnerability at the center of the claims is tracked as CVE‑2026‑35273. ShinyHunters told The Register it exploited that zero‑day to compromise more than 100 organizations across roughly 300 vulnerable PeopleSoft instances. Oracle had not responded to The Register's inquiries at the time of reporting, and it remained unclear whether CVE‑2026‑35273 had been patched.

Google threat report ties activity to CVE‑2026‑35273 and flags higher education exposure

A Google threat report published "late last week," as cited by The Register, noted malicious activity "consistent with the exploitation of CVE‑2026‑35273" between May 27 and June 9. Google said its incident responders notified more than 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. According to the report, most of those organizations are US‑based and 68 percent operated within the higher education sector.

Related incidents: University of Nottingham, Instructure, and Infinite Campus

ShinyHunters has publicly linked prior intrusions to the same PeopleSoft vulnerability and to other vectors. The group listed the University of Nottingham on its leak site and, according to The Register, dumped data it claims belongs to around 454,600 current and former students, including personal and academic records. In mid‑May, ed‑tech company Instructure said it had "reached an agreement" with ShinyHunters after a breach of its Canvas platform; The Register characterized that phrasing as corporate shorthand indicating the company paid the ransom demand. In March, ShinyHunters claimed to have stolen data from K‑12 software provider Infinite Campus in a wave tied to Salesforce‑related intrusions. Infinite Campus did not pay, and ShinyHunters subsequently published data they claim was stolen from Infinite Campus, including 137,000 individuals' email addresses plus names, phone numbers, physical addresses and support tickets. Infinite Campus, in its breach notification, said the leaked files largely consisted of "names and contact information for school staff" and that "the majority is directory information commonly found on school websites."

How universities, ed‑tech providers, and the Council of Europe are responding

  • Universities and higher education institutions: Several institutions were among the IPs Google notified as potentially vulnerable; ShinyHunters' public listings and subsequent data dumps (for example, the University of Nottingham posting and data for roughly 454,600 students) indicate higher education organizations must assess exposure and respond to possible data disclosure.
  • Ed‑tech providers and K‑12 vendors: Instructure disclosed it had "reached an agreement" with the extortion group after a Canvas breach affecting 275 million students, teachers and staff, and Infinite Campus acknowledged published files that it described as primarily directory information. These incidents show providers are both targets and focal points for downstream exposure of student and staff records.
  • The Council of Europe: The Council confirmed it is "currently investigating the matter and assessing the situation" and has declined further comment to The Register while the investigation proceeds.

The sequence of claims—ShinyHunters' assertion of a broad PeopleSoft campaign, Google's report linking active exploitation to CVE‑2026‑35273, and the public disclosure of data tied to universities and ed‑tech platforms—leaves a clear throughline: multiple organizations and categories of records are implicated, and the questions of remediation and disclosure remain active. Oracle had not commented to The Register about the vulnerability at the time of reporting, and the Council of Europe investigation was ongoing.

Read the original report at The Register

Data BreachEmerging ThreatsNation-State ActorsRansomwareShinyhuntersSupply ChainZero-DayOracle PeoplesoftCouncil Of EuropeCVE-2026-352
Related Intelligence

Continue Reading

Medical staff walk down a hospital corridor with a computer in the background.

China-linked UNC6508 Targets Medical Research Institutions

A sophisticated cyber threat group linked to China, known as UNC6508, has launched a targeted attack on medical research institutions in North America, exploiting vulnerabilities in REDCap servers to gain a foothold. The intrusions, which began in September 2023, aim to compromise sensitive research data.

Analyst 207
Server room with rows of blinking equipment, indicating a compromised network setup.

OptinMonster Plugin Compromised in Supply-Chain Attack

A critical security breach has hit the popular OptinMonster plugin, used by over 1.2 million websites, which delivered malicious JavaScript to unsuspecting users via a compromised content distribution network. The attack, detected by ecommerce security firm Sansec, injected harmful code into websites for a brief but perilous window of time.

Analyst 207
Network management system interface on a laptop screen in a modern office space.

Cisco Patches SD-WAN Flaw Exploited in Zero-Day Attacks

Cisco has patched a high-risk SD-WAN flaw, known as CVE-2026-20262, that was being exploited in zero-day attacks to gain root privileges. The vulnerability allowed attackers to create or overwrite files on affected systems, and Cisco has now released security updates to fix the issue.

Analyst 207
Bustling Adriatic port with cargo yard and trucks, foreground shows blurred computer system.

Anubis Ransomware Targets Adriatic Port, Exposes Maritime Security Gaps

A ransomware attack by the Anubis group on the Adriatic Port Authority exposed significant gaps in maritime security, putting sensitive employee records and critical infrastructure at risk. The breach, which occurred on December 11, 2025, resulted in the loss of around 2% of the authority's data, with some information making its way to the dark web.

Analyst 207