Threat researchers have discovered a campaign by the cybercrime group known as ShinyHunters, historically known for carrying out massive data breaches and extortion attacks. This most recent campaign, based on activity observed between May 27th and June 9th, 2026, consists of attacks on Oracle PeopleSoft surfaces, with over 300 instances compromised across more than 100 organizations. The enterprise resource planning (ERP) software is used across a wide range of large organizations, including many healthcare and higher education networks.
The dominant target in this campaign is the higher education sector, with one confirmed victim exposing nearly half a million student records. The scale of this incident represents a shift—ERP systems that were once considered too obscure to be worth attacking are now attracting industrialized cybercrime.
A Zero-Day That Bypassed the Front Gate
The activity in this campaign was found to be consistent with attackers exploiting CVE-2026-35273, a vulnerability with a CVSS of 9.8 that allows unauthenticated remote code execution in PeopleTools versions 8.61 and 8.62. The attack chain exploiting this flaw enables attackers to authenticate as privileged users or bypass authentication entirely, granting significant access to unauthorized, malicious actors.
Once they are inside, attackers can operate through legitimate application APIs with their obtained access, making their behavior indistinguishable from that of legitimate, authorized users. This enables them to obtain access to and exfiltrate sensitive records and potentially gain full administrative control of the entire application. Attackers achieving this level of access and control is a major compromise that uses the logic and legitimate functionality of the application rather than relying on direct exploits.
Why Nothing Sounded the Alarm
This campaign took advantage of multiple factors in order to evade detection by security tools. The attackers extracted records and gained administrative control with their activity appearing as authorized sessions, rather than anything that most security measures would identify as suspicious or malicious.
Traditional perimeter-based and database-layer defenses lack the kind of visibility into application-layer behavior that is required to catch an attack like this in progress. Without activity logging at the field and transaction level, the attackers’ ability to obtain “legitimate” access was enough to mask a full-scale breach from security detection.
“This attack shows that traditional perimeter security and IdP-level authentication are necessary, but not sufficient,” according to James Davison, Chief Strategy Officer at Pathlock, a Denver, Colorado-based identity and access security provider. “Modern ERP security requires a layered approach that combines preventive controls, continuous monitoring, and visibility into user activity. The visibility into user activity is key here; behavioral monitoring to spot exceptions isn’t a nice-to-have anymore.”
From Single Exploit to Industrial-Scale Campaign
Google Threat Intelligence Group (GTIG) uncovered information from open attacker directories that provided additional information about the campaign. Threat actors used staging servers that hosted custom remote-management agents through preconfigured Windows MeshCentral agent binaries. The agents were coded to establish communication with a command-and-control server designed to imitate legitimate Microsoft Azure NetApp Files endpoints.
An automated propagation script was able to spread laterally with the use of compromised internal credentials. The script carried out automatic SSH credential spraying attacks against internal hosts using a hardcoded list of usernames and passwords. Compromised systems were marked with a defacement and extortion marker file (README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT) before the attack exfiltrated and leaked data.
What a Real Defense Requires
Organizations should take immediate steps to mitigate the risks of falling victim to this attack campaign. This includes isolating vulnerable endpoints, auditing for indicators of compromise, and rotating administrative credentials.
For more long-term hardening, it is important to implement multi-factor authentication at the application layer, IP-based access controls, and real-time anomaly detection. Overall, it is crucial for organizations to develop and implement a layered security model where application, transaction, and data layers enforce policy together, closing the gap that was exploited by ShinyHunters in this campaign.
