ShinyHunters Mass Exploitation of Oracle PeopleSoft Zero-Day Hits Over 100 Organizations

ShinyHunters Campaign: Scale and Targeting

Google's investigation revealed a broad and focused operation. ShinyHunters compromised approximately 300 distinct PeopleSoft instances spread across more than 100 organizations globally . GTIG took the proactive step of notifying over 100 of these exposed organizations during the active exploitation window .

The campaign displayed a clear pattern of targeting. 68% of the known victims were entities within the higher education sector, primarily colleges and universities, with the majority based in the United States .

To maintain persistence and control, the attackers deployed MeshCentral remote management agents, but disguised the filenames as legitimate Microsoft Azure services, using names such as meshagent64-azure-ops.exe. The command-and-control infrastructure further mimicked Azure by using the domain azurenetfiles.net . The stolen data was later published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026 .

University of Nottingham: A Case Study in Impact

The University of Nottingham became the first publicly confirmed victim, providing a stark illustration of the breach's consequences. The university acknowledged a cyber incident affecting its student records system, confirming that a significant amount of data, totaling tens of gigabytes, had been accessed .

Reports from multiple sources indicate that between 454,600 and 500,000 personal and academic records belonging to current and former students were stolen . The compromised data primarily consisted of student and alumni records, but the university noted that staff bank details and research data were not part of the breach . The stolen data, which included details like home addresses, phone numbers, and dates of birth, was quickly published on ShinyHunters' leak site and indexed by “Have I Been Pwned” .

Immediate Mitigations Without a Patch

While Oracle issued an out-of-band security alert on June 10, 2026, the initial guidance consisted of workarounds rather than a complete software fix. Google’s threat intelligence blog, in alignment with Oracle’s advisory, recommends organizations take the following immediate steps to protect vulnerable PeopleSoft instances :

1. Disable or Remove the EMHub Service: In multi-server configurations, organizations should disable the Environment Management Hub Service. For single-server deployments, the recommendation is to completely remove the PSEMHUB application .
2. Block External Access at the Perimeter: Restrict access to the exploited endpoints, specifically /PSEMHUB/* and /PSIGW/HttpListeningConnector, using network firewalls or access control lists .
3. Audit Access Logs: Security teams should immediately check PIA WebLogic access logs for any POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector originating from external IP addresses to identify historical compromise .
4. Search for Web Shells: Inspect the PeopleSoft file system for unexpected .jsp files that an attacker may have planted, particularly under the path /webserv/applications/peoplesoft/PSEMHUB.war/ .
5. Monitor for Indicators of Compromise (IOCs): Monitor for the presence of suspicious directories named logs, persistantstorage, or scratchpad within PSEMHUB paths. Additionally, scrutinize any outbound SMB traffic from PeopleSoft servers, which could indicate data exfiltration .

These steps are critical stopgap measures. Organizations running PeopleTools versions 8.61 and 8.62 must prioritize applying Oracle's official out-of-band security update when it becomes available to fully remediate the risk of further exploitation .