
ShinyHunters Zero-Day Oracle PeopleSoft Campaign

The article exposes a real tension: a critical zero-day vulnerability (CVE-2026-35273, CVSS 9.8) in Oracle PeopleSoft‘s Environment Management component was actively exploited by the threat group ShinyHunters before Oracle’s June 10, 2026 advisory. The campaign heavily targeted the education sector, with 68 percent of notified organizations being higher-education institutions. Attackers used this remote code execution hole to compromise PeopleSoft servers, deploy custom MeshCentral agents masquerading as Azure services, and eventually exfiltrate data, which was published on a data leak site.
The concrete technical path is laid out in forensic detail from exposed attacker staging directories. ShinyHunters set up five IP addresses hosting Python SimpleHTTP servers on port 8888, containing pre-configured Windows MeshCentral agent binaries named meshagent64-azure-ops.exe and others, hardcoded to callback to wss://azurenetfiles.net:443/agent.ashx. The command history shows steps from installing MeshCentral (v1.1.59) to mapping internal PeopleSoft configurations by reading psappsrv.cfg and WebLogic config.xml, then writing a propagation script [victim_abbreviation]_fanout.sh that sprayed hardcoded SSH credentials to copy a defacement file (README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT) across internal hosts. Exfiltration used zstd compression before connecting to the ShinyHunters DLS.
The serious takeaway for builders is that this is not a theoretical threat—attackers are actively weaponizing zero-days in enterprise application servers with known lateral movement patterns. The article provides specific, actionable remediation: block /PSEMHUB/hub and /PSIGW/HttpListeningConnector at the network perimeter, as these are non-essential for user-facing operations. Additionally, monitor WebLogic access logs for POST requests to these endpoints, watch for outbound SMB on port 445, and inspect filesystem for unexpected .jsp, .xml, or directories like logs, persistantstorage, or scratchpad. The reliance on WAF body-inspection rules is explicitly called out as insufficient—network-blocking is the recommended first step.


