ShinyHunters Targets Oracle PeopleSoft in Large-Scale Data Theft Attacks
The ShinyHunters extortion gang is actively targeting Oracle PeopleSoft servers in a widespread campaign, claiming to have stolen data from over 100 organizations. PeopleSoft, an enterprise software suite used for HR, finance, supply chain, and student administration, has been exploited across both cloud and on-premises instances.
The threat actor confirmed to BleepingComputer that the attacks leverage a "gadget chain" of old and zero-day vulnerabilities, though success varies depending on system configurations. While Oracle has not publicly acknowledged the breaches, ShinyHunters stated their initial goal was to breach an FBI portal running PeopleSoft an attempt that ultimately failed.
Most affected organizations are in the education sector, with Nottingham University already confirmed as a victim. The university’s data has been published on ShinyHunters’ leak site, and it has publicly acknowledged the incident.
Cybersecurity researcher Michael R uncovered exposed directories linked to the attacks, revealing staging materials such as MeshCentral agents and credential-spraying scripts. Indicators of compromise (IOCs) include multiple IP addresses (e.g., 142.11.200[.]186, 108.174.202[.]99) and a TLS certificate tied to the domain azurenetfiles[.]net, previously associated with ShinyHunters.
Analysis of exposed .bash_history files revealed a script that deploys a ransom note (README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT) on compromised PeopleSoft servers. The script scans for internal systems via /etc/hosts and attempts SSH access using common administrative accounts like psoft, oracle, and linuxadm, falling back to key-based authentication if passwords fail.
Organizations running PeopleSoft are advised to review logs for connections from the identified IOCs to assess potential exposure.
Oracle TPRM report: https://www.rankiteo.com/company/oracle
Nottingham University TPRM report: https://www.rankiteo.com/company/university-of-nottingham
"id": "orauni1781123069",
"linkid": "oracle, university-of-nottingham",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Education',
'name': 'Nottingham University',
'type': 'Educational Institution'},
{'industry': ['Education',
'HR',
'Finance',
'Supply Chain',
'Student Administration'],
'type': 'Organization'}],
'attack_vector': 'Exploitation of vulnerabilities (gadget chain of old and '
'zero-day vulnerabilities)',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'High (enterprise data including HR, '
'finance, supply chain, and student '
'administration)'},
'description': 'The ShinyHunters extortion gang is actively targeting Oracle '
'PeopleSoft servers in a widespread campaign, claiming to have '
'stolen data from over 100 organizations. PeopleSoft, an '
'enterprise software suite used for HR, finance, supply chain, '
'and student administration, has been exploited across both '
'cloud and on-premises instances. The threat actor confirmed '
"the attacks leverage a 'gadget chain' of old and zero-day "
'vulnerabilities, though success varies depending on system '
'configurations. Most affected organizations are in the '
'education sector, with Nottingham University already '
'confirmed as a victim.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Yes',
'identity_theft_risk': 'Yes',
'systems_affected': 'Oracle PeopleSoft servers (cloud and '
'on-premises)'},
'initial_access_broker': {'entry_point': 'Oracle PeopleSoft servers'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion',
'post_incident_analysis': {'root_causes': 'Exploitation of old and zero-day '
'vulnerabilities in Oracle '
'PeopleSoft'},
'ransomware': {'data_exfiltration': 'Yes'},
'recommendations': 'Organizations running PeopleSoft are advised to review '
'logs for connections from the identified IOCs to assess '
'potential exposure.',
'references': [{'source': 'BleepingComputer'},
{'source': 'Cybersecurity researcher Michael R'}],
'response': {'enhanced_monitoring': 'Review logs for connections from '
'identified IOCs'},
'threat_actor': 'ShinyHunters',
'title': 'ShinyHunters Targets Oracle PeopleSoft in Large-Scale Data Theft '
'Attacks',
'type': 'Data Theft',
'vulnerability_exploited': ['Old vulnerabilities', 'Zero-day vulnerabilities']}