ShinyHunters Hit Oracle PeopleSoft and Your Vendors May Already Be Compromised

ShinyHunters has done it again. The extortion group responsible for some of the most high-volume data theft campaigns of the past several years is now targeting Oracle PeopleSoft. PeopleSoft is an enterprise software that manages payroll, human resources, financial aid, immigration records, and core administrative operations for organizations around the world.

As of June 10, 2026, ShinyHunters claims to have stolen data from more than 100 organizations by compromising approximately 300 PeopleSoft instances. A confirmed victim, the University of Nottingham, has publicly acknowledged the breach, with 454,600 current and former students’ personal and academic records already published on the group’s leak site. Oracle has issued an out-of-band security alert for CVE-2026-35273, a zero-day vulnerability in PeopleSoft PeopleTools that is remotely exploitable without authentication and may result in remote code execution. Mandiant CTO Charles Carmakal confirmed active exploitation in the wild.

Warning on ShinyHunter’s DarkWeb blog

This is not an isolated incident. It is the latest example of a recurring pattern: ShinyHunters identifies a widely deployed enterprise platform, develops automation against a critical vulnerability, and scales across hundreds of organizations before most of them know they have been targeted.

For third-party cyber risk management (TPCRM) teams, the question is not just whether your own PeopleSoft environment is exposed. It is whether the institutions and vendors you depend on are.

ShinyHunters: A Playbook, Not a Surprise

ShinyHunters has built its reputation on a specific playbook: identify a vulnerability in a platform used by hundreds or thousands of organizations, automate exploitation at scale, and monetize the resulting data through extortion and public leak pressure.

The group’s track record is a clear signal of intent:

• Snowflake (2024): Credential-stuffing attacks against Snowflake-connected cloud environments led to confirmed breaches at Ticketmaster, Santander Bank, and dozens of other organizations, affecting hundreds of millions of records.
• Salesforce Experience Cloud (March 2026): Exploitation of misconfigured Aura endpoints allowed unauthenticated data extraction across hundreds of organizations, with a March 14 extortion deadline.
• Oracle PeopleSoft (June 2026): A “gadget chain” of old and zero-day vulnerabilities exploited at scale against both cloud and on-premises deployments, with education institutions as the primary wave.

The through-line is identical each time: shared enterprise platforms become shared attack surfaces. When ShinyHunters finds the right entry point, they do not breach one organization at a time. They breach ecosystems. Three campaigns in 18 months. Snowflake, Salesforce, PeopleSoft. The next platform is already in scope.

How the Attack Works: CVE-2026-35273 and the Gadget Chain

According to ShinyHunters, the attacks leverage what they describe as a “gadget chain” — a combination of previously known vulnerabilities chained together with CVE-2026-35273, a newly disclosed zero-day in Oracle PeopleSoft PeopleTools versions 8.61 and 8.62 (and potentially earlier, unsupported versions).

Critical characteristics of CVE-2026-35273:

• Remotely exploitable without authentication. No credentials required for initial access.
• May result in remote code execution. Full server compromise is possible.
• Affects both cloud and on-premises deployments. The attack surface is not limited to internet-exposed instances.

Threat researchers who analyzed exposed attack infrastructure found evidence of highly automated, purpose-built tooling that demonstrates deep familiarity with PeopleSoft architecture:

• Credential extraction from psappsrv.cfg — the PeopleSoft application server configuration file containing database connection credentials.
• Node mapping across connected infrastructure, identifying web, application, and batch server tiers.
• Lateral movement scripts: a shell script (uon_fanout.sh) designed to spread across PeopleSoft infrastructure once initial access is obtained.
• MeshCentral agents and credential spray scripts deployed post-compromise for persistence and further access.

Lateral movement scripts attempt to authenticate using the accounts psoft, oracle, and linuxadm. If password authentication fails, the scripts fall back to SSH key-based authentication. Once access is obtained, the script drops a ransom note named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft web and application server directories.

Indicators of Compromise (IOCs)

The following IP addresses have been identified as IOCs associated with these attacks. Five of the servers exposed a TLS certificate with a common name of azurenetfiles[.]net, a domain previously linked to ShinyHunters:

Oracle has published an out-of-band security alert. Patch availability is currently limited to customers with active support accounts. ShinyHunters confirmed to BleepingComputer that their attack does not succeed on all systems and that exploitation success may depend on instance configuration.

What Was Stolen and From Whom

The data exfiltrated from PeopleSoft environments is not generic. PeopleSoft sits at the center of institutional operations. Confirmed stolen data categories include:

• Student records: home addresses, phone numbers, email addresses, dates of birth
• Financial aid records
• Immigration and visa records
• Health records
• Administrative and personnel data
• Academic records
• Ethnicities and citizenship statuses
• Disabilities
• Passport numbers
• IP addresses and usernames

In the University of Nottingham breach alone, ShinyHunters published records for 454,600 current and former students. That data is now indexed in Have I Been Pwned. The university confirmed the incident in a public statement and noted it is working with Action Fraud, the Information Commissioner’s Office, and other regulatory bodies.

The composition of victims skews heavily toward higher education — universities running PeopleSoft for student information systems, HR, and financial aid management. But PeopleSoft is also widely deployed in government agencies, healthcare systems, large enterprises, and financial institutions. Education is the most visible wave. It is not the last.

Why This Is a TPCRM Crisis, Not Just an IT Patch Issue

PeopleSoft’s role as enterprise operational backbone is precisely what makes it dangerous from a third-party risk perspective. Organizations that run PeopleSoft are not just managing their own data. They are managing data entrusted to them by employees, students, customers, and partners.

Three scenarios every TPCRM team must address right now:

Vendors and service providers with PeopleSoft deployments.

A payroll processor, HR outsourcing firm, or benefits administrator running PeopleSoft holds employee data for dozens or hundreds of client organizations. A single compromise propagates downstream to every one of those clients. Their PeopleSoft breach is your data breach.

Educational institutions as third parties.

Universities and research institutions routinely operate as vendors handling research data, credentials, or shared infrastructure for corporate partners. A PeopleSoft breach at a university that processes contracted research or holds employee enrollment records is a third-party breach by any meaningful definition.

Nth-party exposure through your vendors’ vendors.

Consider this scenario: your logistics vendor outsources payroll to a processor that runs PeopleSoft. That processor is now in scope for this campaign. You have no direct relationship with them, but your employees’ data may be in their environment. This is Nth-party exposure — the risk that travels through your vendors’ vendors — and it is exactly the visibility gap this campaign exposes.

ShinyHunters’ original stated objective for this campaign was to compromise an FBI PeopleSoft portal. That attempt reportedly failed. The infrastructure they built to attempt it was then deployed at scale against softer targets. Attackers who develop capability against high-security targets rarely stop when they fail. They redirect.

How Black Kite Identifies Oracle PeopleSoft Exposure Across Your Ecosystem

Responding to this campaign, the Black Kite Research Group™ developed and published a single FocusTag®: Oracle PeopleSoft.

The tag identifies vendors in your ecosystem running internet-exposed PeopleSoft instances. The Black Kite Research Group™ leverages Black Kite’s big data lake and internet-wide scanning capabilities to continuously probe the global attack surface and surface exposed PeopleSoft servers as they are discovered, and no vendor self-reporting is required.

When the tag fires on a vendor in your ecosystem, it includes the specific asset details behind the finding — subdomain, IP address, product version, and related technical indicators — so your team and the vendor know exactly where to look. There is no ambiguity, no back-and-forth, and no waiting for a questionnaire response. The exposed asset is identified. The remediation target is clear.

This is the difference between intelligence-led response and questionnaire-based interrogation. A questionnaire asks a vendor whether they run PeopleSoft and whether they have patched it. The Oracle PeopleSoft FocusTag® already knows the answer and points directly to the exposed server.

Turning Intelligence Into Action with FocusTags®

Black Kite’s FocusTags® capability translates campaign-specific threat intelligence into actionable vendor-level visibility across your ecosystem — in hours, not weeks.

Waiting for a quarterly questionnaire cycle to reveal PeopleSoft exposure is the wrong answer to a question that’s already due. By the time a vendor responds to an assessment request, ShinyHunters may have already published their data. FocusTags® exist to make that approach obsolete.

In the context of this campaign, FocusTags® allow TPCRM teams to:

• Surface every vendor, partner, or institutional counterparty in your ecosystem with confirmed or likely PeopleSoft usage.
• Prioritize outreach and assessment based on data sensitivity — vendors handling employee data, financial records, or health information should be evaluated first.
• Track remediation status and patch confirmation across affected vendors.
• Monitor threat intelligence developments as ShinyHunters continues to publish data and expand targeting.

For vendor outreach at scale, The Bridge™ enables direct engagement with affected vendors without waiting for scheduled assessment cycles — send targeted inquiries, track responses, and document risk acceptance decisions in a single workflow.

Additionally, affected vendors’ Ransomware Susceptibility Index® (RSI™) scores may have shifted as a result of this campaign. Black Kite monitors these indicators continuously, giving your team real-time signal on which vendors’ risk profiles have materially changed without waiting for a vendor to tell you.

The fundamental question this campaign demands every risk team answer is not "are we vulnerable?" It is: which of the organizations we depend on are vulnerable, and what data of ours sits inside their PeopleSoft environment? FocusTags®, ThreatTrace™, and The Bridge™ exist to answer that question fast enough to act on it before the next data dump.

Recommended Actions

For Organizations Running Oracle PeopleSoft (First-Party Risk)

Apply the CVE-2026-35273 patch immediately.

Oracle has published an out-of-band security alert. If you have an active support contract, access the patch availability document now. If you are on an unsupported version (prior to 8.61), assume you are in scope and treat exposure as critical.

Restrict internet access to PeopleSoft portals.

If PeopleSoft administrative and application server interfaces are accessible from the public internet without network-layer controls (VPN, IP allowlisting, zero-trust gateway), close that exposure immediately regardless of patch status.

Audit psappsrv.cfg and connected node credentials.

Attacker tooling specifically targets PeopleSoft application server configuration files for credential extraction. Rotate credentials and review which systems are reachable from your application tier. Specifically rotate credentials for the psoft, oracle, and linuxadm accounts.

Hunt for indicators of compromise.

Cross-reference your environment against the IPs, domains, and TLS certificate fingerprints in the IOC table above. Review logs for unauthorized connections between PeopleSoft tiers and unexpected outbound traffic.

Review connected node configurations.

Attackers map all nodes connected to a compromised PeopleSoft instance. Assess whether node-to-node authentication controls are enforced and whether web, application, and batch tier connections are restricted to expected internal ranges.

Notify downstream stakeholders proactively.

If you manage PeopleSoft data on behalf of other organizations — employees, students, research partners — proactive notification is both a legal obligation and a trust imperative. Do not wait for the data to appear on a leak site.

For Organizations Managing Vendor and Institutional Risk (Third-Party Risk)

Identify every vendor and institution in your ecosystem running PeopleSoft.

This includes HR outsourcing firms, payroll processors, benefits administrators, universities with whom you have research or employment relationships, and any technology service provider that may use PeopleSoft internally. Black Kite can surface this list today.

Prioritize based on data exposure.

Vendors that handle employee PII, financial records, health information, or immigration data on your behalf represent the highest downstream risk. Their PeopleSoft breach is your data breach.

Initiate immediate vendor outreach via The Bridge™.

For critical vendors, do not wait for a scheduled assessment cycle. Send direct inquiries asking for confirmation of patch status for CVE-2026-35273, whether internet-facing PeopleSoft portals are protected behind network-layer controls, and whether they have completed an IOC analysis against known ShinyHunters infrastructure.

Escalate unpatched vendors to risk acceptance or contingency planning.

If a vendor confirms they have not yet patched and cannot provide a timeline, that is a material risk event. It requires documented risk acceptance, enhanced monitoring, or — for the most critical vendors — contingency planning for data access disruption.

Update your vendor inventory for PeopleSoft usage.

Many organizations do not track which enterprise platforms their vendors run. This campaign is a reminder that platform-level visibility is a prerequisite for effective TPCRM. Build it into your vendor onboarding and periodic review process.

Final Thoughts

ShinyHunters has now run the same playbook three times in 18 months: Snowflake, Salesforce Experience Cloud, Oracle PeopleSoft. Each time the group targeted a widely deployed enterprise platform. Each time, hundreds of organizations were compromised before most had a chance to respond.

The pattern is not coincidence. It is strategy. Shared infrastructure creates shared attack surfaces. Attackers who understand this can achieve at scale what individual breaches never could.

For TPCRM programs, each of these campaigns reveals the same gap: the moment a vendor is compromised, most organizations that depend on them have no idea. They find out when the data appears on a leak site or when a regulator calls. The organizations that respond in hours — not weeks — are the ones who already know which vendors run PeopleSoft, what data sits inside those environments, and what their patch status is today.

PeopleSoft runs payroll for your employees, manages student records for institutions you partner with, and processes financial data for organizations throughout your supply chain. That is not a future risk to monitor. It is a current exposure to verify. Black Kite can show you which vendors in your ecosystem are running PeopleSoft — right now, before the next leak.

SEE WHICH OF YOUR VENDORS ARE EXPOSED

Black Kite can identify every vendor in your ecosystem running Oracle PeopleSoft — and flag which ones show active exposure indicators — in a single session. No questionnaires. No waiting. Intelligence-led response, starting today. Book a demo at blackkite.com/book-a-demo

References

https://www.helpnetsecurity.com/2026/06/11/oracle-peoplesoft-under-attack-cve-2026-35273/

https://techcrunch.com/2026/06/10/cybercriminals-claim-breach-of-oracle-peoplesoft-servers-at-100-plus-organizations/

https://www.scworld.com/brief/shinyhunters-gang-targets-oracle-peoplesoft-servers-in-data-theft-attacks

https://www.nottingham.ac.uk/currentstudents/news/student-and-alumni-data-has-been-compromised-in-a-data-security-incident

https://haveibeenpwned.com/Breach/UniversityOfNottingham

https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/

https://www.oracle.com/security-alerts/alert-cve-2026-35273.html