ProBackend
cybercrime financial threat actors
1 hour ago7 min read

ShinyHunters Turned a PeopleSoft Zero-Day Into the Biggest University Heist of 2026

Extortion group ShinyHunters is targeting unpatched Oracle PeopleSoft servers using CVE-2026-35273. The campaign has breached over 100 organizations, including a major theft of 454,600 student records at the University of Nottingham via a gadget chain of exploits and custom MeshCentral agents.

The Zero-Day That Opened the Gates

Let’s be honest — if you’re running Oracle PeopleSoft and you haven’t patched it since 2024, you’re already behind. CVE-2026-35273 isn’t just a vulnerability. It’s a backdoor with a neon sign. Unauthenticated. Remote. CVSS 9.8. That’s not a footnote in a patch note. That’s a siren.

Oracle’s advisory says it plainly: "This vulnerability is remotely exploitable without authentication." No login. No phishing. No trickery. Just a server exposed to the internet, and a threat actor with a script. PeopleSoft isn’t some niche HR tool. It’s the central nervous system of university administration — payroll, student records, financial aid, course registrations. You break PeopleSoft, you break the entire institution.

The fact that ShinyHunters didn’t just find it — they weaponized it — tells you everything. This wasn’t luck. This was targeting. And they didn’t stop at one. They hit 300 instances across 100+ organizations. That’s not a coincidence. That’s a campaign.

And here’s the kicker: Oracle hadn’t even released a patch yet when the first ransom notes started showing up. The window between discovery and mitigation? That’s where the real damage happens. ShinyHunters didn’t wait. They moved faster than the vendors, faster than the IT teams, faster than the legal departments trying to decide if they should pay up. And they won.

The Zero-Day That Opened the Gates

The Gadget Chain

ShinyHunters didn’t use one exploit. They used a chain — a "gadget chain," as they called it. That’s not jargon. That’s a tactic. It means they combined old, known flaws with this brand-new zero-day to get deeper, further, and faster than anyone expected.

They didn’t just drop a shell. They dropped a whole toolkit. Researchers found staging servers hosting custom MeshCentral agents — remote management tools normally used by IT departments to control endpoints. But here? They were weaponized. The attackers used them to pivot from PeopleSoft into other internal systems, masquerading as Microsoft Azure services. Think about that. You’re scanning your network for anomalies, and suddenly you see traffic going to Azure. You assume it’s legitimate. You don’t blink. That’s the beauty of it.

And then there’s the script. The one that parses /etc/hosts, looks for PeopleSoft servers, and tries to SSH in using default credentials like ‘psoft’, ‘oracle’, ‘linuxadm’. If password auth fails? They fall back to SSH keys. That’s not a script. That’s a bot. And it’s been running for weeks, quietly probing every PeopleSoft instance it can find.

They didn’t just steal data. They left behind a trail of ransom notes — README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT — dropped right into the web server directories. A digital calling card. A taunt. "We were here. We saw your data. And we’re not leaving until you pay."

This isn’t ransomware. It’s extortion with surgical precision. No encryption. No lockouts. Just data. And the threat to publish it. And for universities? That’s worse than encryption. Because you can’t pay your way out of a data leak. You can’t pay your way out of the headlines. You can’t pay your way out of the students’ parents screaming at your front office.

The Gadget Chain

Nottingham and the 454,600

The University of Nottingham didn’t just get breached. They got gutted.

454,600 students. Not 45,000. Not 4,500. Over 450,000. That’s nearly the entire population of a small city — and every single one of them had their data ripped out of PeopleSoft. Names. Addresses. Passport numbers. Credit card details. Dates of birth. Campus portal credentials. Financial aid records. Everything.

And it wasn’t just Nottingham. The breach reached their campuses in Malaysia and China. That’s not a local incident. That’s a global one. And ShinyHunters didn’t just take the data. They published it. On their leak site. As proof. As leverage. As a warning to everyone else.

Have I Been Pwned confirmed the scale. They didn’t just find email addresses. They found ethnicities. Disabilities. Academic enrolment histories. Fee payment records. This isn’t a breach. It’s a forensic archive of human vulnerability.

The university’s statement? "A significant amount of data has been accessed." That’s corporate-speak for "we lost everything." They reported it to Action Fraud and the ICO. Good. But that doesn’t bring back the data. Doesn’t stop the blackmail. Doesn’t erase the fact that thousands of students now have to worry about identity theft, fraud, and harassment — all because someone didn’t patch a server.

And here’s the truth nobody wants to say: Nottingham wasn’t special. They were just the first one we heard about. There are dozens more. Maybe hundreds. And most of them won’t say a word. Because admitting you got hacked in this way? It’s worse than the breach itself. It’s the end of your reputation.

The Attack Infrastructure

The IPs tell a story.

142.11.200.186–190. 108.174.202.99. 176.120.22.24.

Those aren’t random numbers. They’re coordinates on a map of destruction.

The first five? Command-and-control nodes. The sixth? A staging server. The seventh? The leak site. That’s not chaos. That’s architecture.

Mandiant confirmed it: attackers used these servers to host HTTP services that acted as intermediaries between their real infrastructure and the compromised PeopleSoft instances. They were hiding in plain sight, using TLS certificates with the domain "azurenetfiles[.]net" — a domain previously tied to ShinyHunters. So when you see traffic going to azurenetfiles, you assume it’s Microsoft. You don’t block it. You let it through.

And the .bash_history files? Found on exposed servers. They showed the attackers’ commands. The scripts they ran. The paths they explored. They weren’t just stealing data. They were documenting their own success. Leaving a trail for the next victim to find.

This is the new normal. Threat actors aren’t just hacking systems. They’re building infrastructure — temporary, disposable, but highly effective. They don’t need to be stealthy forever. They just need to be stealthy long enough to get what they want.

And they’re getting better. Faster. Smarter.

The 68 Percent

Mandiant’s report said it clearly: 68% of the targets were in higher education.

That’s not a coincidence. That’s a strategy.

Universities are soft targets. Underfunded. Overworked. Running legacy systems on budgets that haven’t changed since 2012. They’re not banks. They’re not defense contractors. They’re places where professors still use Excel spreadsheets to track grades. Where IT staff are stretched thin across 15 different departments. Where patching is a "when we get around to it" task.

And ShinyHunters knows it.

They’ve hit Instructure Canvas before. Now they’ve hit PeopleSoft. Next? Probably Blackboard. Then Canvas again. They’re not random. They’re systematic. They’re targeting the institutions that hold the most personal data — and the least security.

It’s not just about money. It’s about power. The power to leak a student’s disability status. The power to expose a professor’s salary. The power to destroy trust — not just in a university, but in the entire system of higher education.

And the worst part? We’re still letting it happen. We’re still letting universities run critical systems on unpatched software. We’re still letting them store decades of student data in a single, vulnerable platform. We’re still letting them believe that "we’ve never been breached before" is a security posture.

It’s not. It’s a death sentence.

What You Must Do Now

If you’re reading this and you’re responsible for PeopleSoft — whether you’re a CISO, an IT director, or a sysadmin who’s been stuck with this mess — here’s your checklist. Do it now. Not tomorrow. Not next week. Now.

  1. Block the IPs. 142.11.200.186–190, 108.174.202.99, and 176.120.22.24. Block them at your firewall. Block them at your proxy. Block them everywhere. They’re not coming back. They’re already in.

  2. Check your logs. Look for requests to /PSEMHUB/ and /PSIGW/HttpListeningConnector. If you see them from outside your network? You’re compromised. Start your incident response. Now.

  3. Scan for webshells. Look for .jsp files in WebLogic directories. Look for staging folders named "logs," "persistantstorage," or "scratchpad." Look for XML files that were modified in the last 72 hours. These aren’t normal. They’re not accidental. They’re malicious.

  4. Patch. Oracle’s emergency mitigation is out. Apply it. Even if you think you’re not vulnerable. Even if you think you’re "too small to be targeted." You’re not. You’re exactly who they want.

  5. Audit your data. How much PII is stored in PeopleSoft? Can you reduce it? Can you move it to a more secure system? Can you encrypt it? If not — you’re already one zero-day away from being the next Nottingham.

And if you’re not doing any of this? Then you’re not a security professional. You’re a liability.

This isn’t about compliance. It’s about survival.

ShinyHunters didn’t break into a system. They broke into a culture. And that culture — the one that lets critical systems rot for years — is what we have to fix. Not the vulnerability. Not the IP. The mindset.

Because next time? It won’t be Nottingham. It’ll be you.

Related blogs

cybercrime financial threat actors

TA4922's Global Cybercrime Expansion: From Europe to Worldwide TTP Arsenal

Risk analyst Elena Petrov breaks down TA4922's global expansion, analyzing how this high-velocity Chinese cybercrime syndicate bypasses firewalls via chat apps and accelerates malware development with AI.

1 day ago · 5 min
More engineering analysis and backend guidance from ProBackend.
More blogs