“Most of these organizations were based in the United States, and 68 percent operated within the higher education sector.”
Zero-day exploitation of CVE-2026-35273
Mandiant and Google Threat Intelligence Group (GTIG) identified an active compromise and extortion campaign, attributed to UNC6240 (ShinyHunters), that exploited a critical remote code execution vulnerability — CVE-2026-35273 (CVSS 9.8) — in Oracle PeopleSoft's Environment Management component. The activity was observed between May 27, 2026, and June 9, 2026, and predates Oracle’s June 10, 2026 advisory; GTIG therefore treats this as a zero-day exploitation. Observed targeting focused on Environment Management Hub (PSEMHUB) endpoints, and the campaign culminated in stolen organization data being published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026.
Staging infrastructure: MeshCentral agents, azurenetfiles.net, and C2
GTIG triaged five sequential IP addresses — 142.11.200.186, 142.11.200.187, 142.11.200.188, 142.11.200.189, and 142.11.200.190 — which were hosting Python SimpleHTTP servers on port 8888 and exposing directory contents. Those directories contained attacker staging materials including pre-configured Windows MeshCentral agent binaries named meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, and meshagent64-v2.exe, plus an unconfigured Linux meshagent binary. Static analysis showed the agents were hardcoded to communicate with the command-and-control address wss://azurenetfiles.net:443/agent.ashx. The domain azurenetfiles.net was chosen to resemble Microsoft Azure NetApp Files endpoints. GTIG observed installers of MeshCentral (version 1.1.59) on May 27, 2026, at 22:14 UTC and the installation of acme-client at 22:25 UTC to automate Let's Encrypt certificates for the masquerading domain.
Lateral movement and the [victim_abbreviation]_fanout.sh propagation script
The exposed .bash_history and staged files document a propagation and lateral-movement workflow. The attackers used the MeshCentral CLI utility meshctrl.js to run commands on compromised hosts, mapping PeopleSoft configurations by reading psappsrv.cfg and WebLogic config.xml, auditing mounts, and parsing local /etc/hosts entries for internal PeopleSoft nodes. They wrote a propagation script named [victim_abbreviation]_fanout.sh into /tmp on compromised systems and executed it via MeshCentral commands.
The script automates SSH credential spraying: it parses hostnames from /etc/hosts (matching patterns such as csprd[0-9]), iterates over a hardcoded list of usernames and passwords, and uses sshpass to attempt logins. On successful authentication the script copies a defacement/extortion marker file, README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT, into PeopleSoft directories (examples include /u01/app/psoft/ps_config_homes/csprd/webserv/CSPRD02 and /u01/app/psoft/ps_config_homes/csprd/appserv/prcs). If credential attempts fail, the script attempts key-based SSH. The script also copies the marker locally when target paths exist and summarizes OK/FAIL counts after execution.
Remediation, detection guidance, and indicators of compromise
- Network restrictions: GTIG recommends immediately blocking external access to /PSEMHUB/* (specifically /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter or firewall level if the EMHub service cannot be disabled. The advisory cautions that relying solely on WAF body-inspection rules is insufficient.
- Log and telemetry checks: Audit WebLogic access logs for HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector from untrusted external IPs; analyze /PSIGW/HttpListeningConnector requests for loopback (127.0.0.1, localhost, ::1) or internal IP ranges that could indicate SSRF; monitor outbound firewall logs and NetFlow for SMB traffic on TCP port 445 from PeopleSoft hosts to the internet.
- Host-level forensic checks: Scan /webserv/
- Patching and support: GTIG emphasizes applying Critical Patch Updates, Critical Security Patch Updates, and Security Alerts and remaining on actively supported versions. Review Oracle's Security Alert - CVE-2026-35273 for full advisory details.
- Selected IOCs published by GTIG: the five staging IPs listed above; azurenetfiles.net; staged agent filenames; and file hashes such as meshagent64-azure-ops.exe (SHA-256: f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc) and meshagent32-azure-ops.exe (SHA-256: c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f). GTIG also published the .bash_history hash (SHA-256: 2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35).
What this means for technologists, higher education, and incident responders
- Technologists and security teams: Prioritize network-level blocks for /PSEMHUB/* and /PSIGW/HttpListeningConnector, hunt for staged MeshCentral agents and the listed file hashes, and inspect WebLogic and PeopleSoft filesystem paths called out in the advisory.
- Higher education institutions and enterprise IT: Expect targeted attention — GTIG notified over 100 exposed organizations, 68 percent of which were academic institutions — and check for publicly posted stolen archives; the campaign correlated with ShinyHunters DLS posts on June 9, 2026.
- Incident responders and forensic teams: Triage exposed MeshCentral staging environments, examine .bash_history artifacts and meshctrl.js command histories, and verify whether outbound SSH connections to 176.120.22.24 (a public mirror of the ShinyHunters DLS) were attempted from staging hosts.
The campaign documented by Mandiant and GTIG shows a rapid chain: zero-day exploitation, staged MeshCentral-based C2, automated credential spraying and defacement, and public data leakage within days. Organizations running Oracle PeopleSoft should treat the specific remediation steps above as immediate priorities while consulting Oracle’s CVE-2026-35273 advisory for full patch guidance.
