Key Points:
- Google’s threat intelligence group detected a critical zero-day exploit campaign by the ShinyHunters gang.
- The hackers targeted Oracle PeopleSoft applications, with 68 percent of the victims in the higher education sector.
- The unpatched vulnerability allows unauthenticated remote code execution, carrying a severity score of 9.8.
- Affected entities include the University of Nottingham, where hackers compromised roughly 455,000 email records.
Cybersecurity divisions within Google have identified a highly active compromise-and-extortion campaign targeting Oracle PeopleSoft application infrastructure. The threat group known as ShinyHunters is behind the attacks, using a critical zero-day vulnerability to breach organizations globally. This campaign poses a severe threat to the higher education sector, where many institutions rely on the software to manage core administrative databases. Threat analysts discovered the intrusion after the hackers accidentally left their own command tools exposed on public staging servers.
The security flaw, tracked as CVE-2026-35273, carries a critical severity rating of 9.8 out of 10. The vulnerability resides within the Environment Management component of Oracle PeopleSoft Enterprise PeopleTools, specifically affecting versions 8.61 and 8.62. Because the flaw allows unauthenticated remote code execution, attackers can run malicious scripts and take complete control of target servers without needing valid credentials. Security researchers observed active exploitation of this zero-day bug over two weeks beginning in late May, before the software vendor’s emergency out-of-band security advisory.
The extortion gang targeted cloud-hosted and on-premises servers across more than 100 organizations, comprising over 300 vulnerable software instances. According to analysis from threat researchers, higher education institutions bore the brunt of the campaign, accounting for 68 percent of the identified targets. Many of these affected universities are located in the United States, where large student information systems store highly sensitive personal records, financial aid applications, and academic credentials.
One of the first confirmed victims of the campaign is the University of Nottingham in the United Kingdom, which recently confirmed a significant data breach. The hacking group exfiltrated tens of gigabytes of student records and quickly published the stolen dataset on its public leak site. Cybersecurity monitors counted approximately 455,000 unique email addresses in the leaked files. The stolen records include names, physical addresses, telephone numbers, and highly sensitive demographic information such as passport numbers, ethnicity, and disability details.
Threat analysts reconstructed the attack chain after a third-party researcher spotted open directories on the hackers’ staging servers. The attackers ran Python-based web servers on port 8888, exposing their command history, remote management software, and lateral movement scripts. The hackers deployed customized remote administration tools disguised as legitimate Microsoft Azure binaries that connected to a rogue command-and-control server at a domain designed to mimic legitimate cloud services. Once inside a server, they used a custom lateral-movement script to spray credentials across internal hosts and identify other vulnerable PeopleSoft systems.
The investigation also revealed an unusual motive behind the campaign’s origins. Before launching their widespread attack on universities, the extortionists originally targeted a PeopleSoft server belonging to the Federal Bureau of Investigation (FBI). The hackers aimed to compromise the federal agency to publicly deny their involvement in recent “swatting” attacks that federal authorities had flagged. However, after that high-profile intrusion attempt failed, the hackers quickly pivoted to higher education, leveraging the shared enterprise software as a massive force multiplier to target dozens of schools simultaneously.
The campaign highlights a broader shift in the cybercriminal landscape away from traditional ransomware encryption and toward pure data theft and extortion. Because modern organizations have improved their backup and disaster recovery systems, threat groups increasingly focus on exfiltrating sensitive data and threatening to leak it publicly to extract payments. By targeting software suites that manage payroll, human resources, and student records, extortionists gain maximum leverage through regulatory penalties, potential class-action lawsuits, and systemic reputational damage.
In response to the active zero-day attacks, the software developer released an urgent out-of-band security alert advising immediate action. Since a full patch is currently restricted to support account holders, the primary guidance centers on immediate mitigation. Administrators must disable the Environment Management Hub service on multi-server setups or remove the affected application component entirely on single-server installations. The developer also urges security teams to audit their system logs for suspicious outbound traffic and block unauthorized connections to secure their administrative infrastructure.
