In recent threat intelligence updates, Mandiant and the Google Threat Intelligence Group (GTIG) disclosed an active, high-impact cyber compromise and extortion campaign orchestrated by the advanced threat group UNC6240, colloquially recognized as ShinyHunters. Observed operating aggressively between May 27, 2026, and June 9, 2026, the threat actors systematically targeted critical Oracle PeopleSoft application infrastructures worldwide. The core mechanism of initial access involved the weaponization of CVE-2026-35273—a critical remote code execution (RCE) vulnerability carrying a CVSS severity score of 9.8. This flaw resides within the Environment Management component of the application, specifically exposing the Environment Management Hub (PSEMHUB) endpoints to unauthorized access. Crucially, because the active exploitation window predated Oracle’s official security advisory released on June 10, 2026, the campaign was carried out using a sophisticated zero-day vector, catching defenses off guard and escalating the threat profile across multiple verticals.
Upon discovering the initial vectors of widespread scanning and unauthorized access, GTIG and Mandiant initiated an extensive global notification response, directly contacting over 100 enterprise organizations whose public-facing IP addresses correlated with vulnerable PSEMHUB endpoints. The telemetry gathered during this proactive outreach revealed a stark geographic and industry concentration: while the majority of targeted organizations were based in the United States, an overwhelming 68 percent of the victims operated specifically within the higher education sector. This demographic focus underscores a calculated effort by UNC6240 to disrupt academic institutions and exploit their highly interconnected internal networks. The gravity of the campaign was brought to light following public disclosures by security researcher @nahamike01 on the social platform X, which pointed to exposed attacker directories on staging servers, thereby allowing rapid, detailed triage and forensic evaluation of the group’s operational playbooks.
Anatomy of Attack Staging and C2 Infrastructure
The breakthrough in understanding the tactical operational flow of UNC6240 came when threat analysts triaged five sequential IP addresses hosting the group’s staging environments: 142.11.200.186, 142.11.200.187, 142.11.200.188, 142.11.200.189, and 142.11.200.190. Each of these systems operated a Python-based SimpleHTTP server listening on port 8888, inadvertently exposing open directory listings that contained malicious staging materials, customized agents, and comprehensive command execution histories. Forensic inspection of these directories revealed pre-configured Windows MeshCentral agent binaries designed to masquerade as legitimate Microsoft Azure services. The binaries were compiled under descriptive names including meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, and meshagent64-v2.exe. MeshCentral, an open-source remote management server framework, was leveraged to maintain persistence and seamless cross-platform management over the compromised endpoints.
Static analysis of the recovered MeshCentral agents indicated that they were hardcoded to establish secure WebSockets connections back to a command and control (C2) server located at wss://azurenetfiles.net:443/agent.ashx. The registration and choice of the domain azurenetfiles.net represents a classic technique of defensive evasion via typosquatting and masquerading, designed to mimic legitimate Microsoft Azure NetApp Files endpoints in network logs. Alongside these Windows-specific executables, attackers also staged an unconfigured Linux-compatible meshagent binary. The structural setup implies that the threat actors utilized dynamic parameter injection via the command-line interface during the exploitation of Linux-hosted Oracle frameworks. To secure and authenticate the C2 traffic, the group initialized the acme-client npm package on May 27, 2026, at 22:25 UTC, automating the generation of Let’s Encrypt SSL certificates for their masquerading infrastructure.
Technical Breakdown of Attacker Command History and Reconnaissance
The collection of an identical .bash_history file across all five staging infrastructure hosts provided an unprecedented, step-by-step chronological look into UNC6240’s internal post-exploitation workflows. The timeline establishes that the attackers deployed MeshCentral version 1.1.59 on May 27, 2026, at 22:14 UTC to coordinate their interactive operations. To interact with their deployed agents and issue remote tasks, the threat actors relied extensively on the MeshCentral command-line interface tool, meshctrl.js. Once a shell was established on a compromised Oracle PeopleSoft server, the initial triage involved executing baseline system identification commands, specifically checking the local hostname and current user privileges using hostname; id.
Following initial access verification, the threat actors executed targeted internal reconnaissance to systematically map the internal architecture of the target organizations. They evaluated storage configurations and active network file shares using commands such as mount | grep -E "psoft|ps_config|nfs". To map internal subnet topologies and locate interconnected production servers, they audited local network configurations and parsed host mapping tables via cat /etc/hosts | grep -E "[redacted_victim_string]". Most critically, the attackers systematically scraped application configurations to look for additional targets, utilizing precise regular expressions to target the Oracle Process Scheduler configuration file (psappsrv.cfg) to extract machine names and internal IP nodes:
grep -hE '^[[:space:]]*Address=|^[[:space:]]*HostName=' /u01/app/psoft/ps_config_homes/csprd/appserv/prcs/psappsrv.cfg 2>/dev/null | head -80Furthermore, the actors read the core WebLogic server XML configurations (config.xml) to discover cluster layouts and adjacent application server nodes, ensuring they had full structural visibility before launching subsequent phases of the attack lifecycle.
Lateral Movement, Script Propagation, and Data Exfiltration
Once reconnaissance concluded, UNC6240 escalated operations by writing a custom lateral propagation and defacement shell script, designated as [victim_abbreviation]_fanout.sh, via a heredoc into the /tmp directory of the staging servers. The execution of this automated propagation payload was orchestrated at scale across compromised endpoints using the meshctrl.js execution framework:
node meshctrl.js RunCommand --loginuser admin --loginpass '[password]' --id '[agent_id]' --run 'bash /tmp/[victim_abbreviation]_fanout.sh'The script was specifically structured to automate SSH credential spraying against internal server segments. It dynamically compiled an inventory of internal hostnames by parsing the local /etc/hosts file for specific naming patterns (e.g., csprd[0-9]). It then systematically looped through a hardcoded array of administrative, application-specific usernames and passwords, attempting to force authentication across the network fabric.
Upon successfully authenticating to an adjacent system, the script copied an extortion and defacement marker titled README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT directly into the targeted WebLogic and Process Scheduler directories. Concurrently, the attackers gathered targeted data directories and used the high-performance utility zstd to compress the exfiltrated archives efficiently while monitoring file transfer progress:
pv -s "$(du -sb exfil | awk '{print $1}')" | zstd -3 -T0 -o exfil.tar.zstThe operations concluded when the threat actors established an outbound SSH tunnel from their staging host to 176.120.22.24, a public clearnet mirror hosting the ShinyHunters Data Leak Site (DLS), where stolen organizational data was formally published on June 9, 2026.
Proactive Threat Hunting and Actionable Remediation Guide
To neutralize this active threat, enterprise security administrators running Oracle PeopleSoft configurations must apply immediate remediation controls. The highest priority mitigation involves disabling the Environment Management Hub (EMHub) service across multi-server topologies, or completely deleting the PSEMHUB application within single-server deployments as per Oracle’s formal advisory. If operational dependencies prevent the total disabling of the service, administrators must immediately enforce strict firewall or network perimeter blocks on external access to the /PSEMHUB/* (specifically /PSEMHUB/hub) and /PSIGW/HttpListeningConnector URI endpoints. Restricting these specific pathways is verified as a non-breaking action for standard enterprise operations, as they control backend system-to-system communications and do not impact core user-facing PeopleSoft Internet Architecture (PIA) browser sessions.
Defenders should immediately conduct comprehensive forensic log analysis and filesystem auditing across all WebLogic server tiers. Audit the PIA WebLogic access logs for anomalous HTTP POST requests directed toward /PSEMHUB/hub and /PSIGW/HttpListeningConnector originating from public or unauthorized external IP space. Furthermore, look for Server-Side Request Forgery (SSRF) indicators by inspecting incoming headers for loopback addresses (127.0.0.1, localhost, ::1) or internal network segments mapped within parameters. At the filesystem level, scan the web application directories located at <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/ for unauthorized, newly created .jsp files indicating webshell deployment. Inspect the paths under .../PSEMHUB.war/envmetadata/transactions/ for unknown files or binary configurations, and verify that no anomalous directories named logs, persistantstorage, or scratchpad exist. Finally, crosscheck <docroot>/envmetadata/data/environment/ for recent modifications to .xml files, which may indicate exploitation via the Java XMLDecoder to maintain persistence upon an application reload.
Our Perspective: The Threat Analysis Opinion
The targeted execution of the CVE-2026-35273 zero-day campaign by ShinyHunters (UNC6240) highlights a strategic evolution in cyber extortion methodologies. Traditionally recognized for targeting cloud data repositories and SaaS providers, ShinyHunters’ pivot toward legacy on-premises enterprise resource planning (ERP) architectures indicates a sophisticated broadening of their operational purview. By exploiting the Oracle PeopleSoft Environment Management Hub, the group selected an enterprise component that is frequently overlooked during routine patch management cycles, yet yields profound backend access to highly sensitive organizational data.
The significant concentration of victim organizations within the higher education sector (68 percent) is particularly alarming. Academic institutions are high-value targets due to the vast repositories of personally identifiable information (PII), intellectual property, and financial records they maintain. Furthermore, higher education networks are inherently designed to facilitate open collaboration, often featuring decentralized security postures that simplify lateral movement for threat actors utilizing automated scripts like [victim_abbreviation]_fanout.sh. This incident serves as a stark reminder that legacy enterprise applications remain critical liabilities. Organizations cannot rely solely on reactive perimeter defenses or web application firewalls; comprehensive visibility, timely patch deployment, and network segmentation are imperative to safeguard critical infrastructure.
Technical Indicators of Compromise (IOCs)
| File Path / Name | Indicator Type | Description | Value / Hash (SHA-256) |
.bash_history | File Hash | Exposed attacker command log | 2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35 |
meshagent64-azure-ops.exe | File Hash | Pre-configured Windows 64-bit agent | f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc |
meshagent64-v2.exe | File Hash | Pre-configured Windows 64-bit agent variant | d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f |
meshagent32-azure-ops.exe | File Hash | Pre-configured Windows 32-bit agent | c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f |
meshagent | File Hash | Unconfigured compiled Linux agent | 68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309 |
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT | Filename | Ransom / Defacement marker file | N/A |
[victim_abbreviation]_fanout.sh | Filename | Automated lateral propagation script | N/A |
