Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The threat actor UNC6240, also known as ShinyHunters, is running an active compromise and extortion campaign against Oracle PeopleSoft environments. The attackers abuse a zero-day remote code execution flaw in the Environment Management component to gain initial access. They then rely on MeshCentral for command and control and use custom scripts to support lateral movement and data theft.
Investigation
Mandiant and Google Threat Intelligence Group uncovered the campaign through analysis of exposed attacker staging directories. Their investigation revealed Python SimpleHTTP servers hosting malicious MeshCentral agents along with command-history artifacts. The researchers followed the intrusion chain from exploitation of CVE-2026-35273 through to later data exposure on the ShinyHunters Data Leak Site.
Mitigation
Organizations should immediately disable the Environment Management Hub (EMHub) service or remove the PSEMHUB application entirely. Perimeter defenses should block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector endpoints. Additional hardening should include auditing web-tier file systems for unauthorized .jsp files, watching for suspicious new directories, and monitoring for unexpected outbound SMB traffic.
Response
If compromise is suspected, organizations should restrict access to vulnerable PeopleSoft endpoints and review WebLogic access logs for suspicious POST activity. Forensic teams should search PSEMHUB directories for unauthorized files and inspect for XMLDecoder-based persistence. Outbound monitoring on port 445 should also be enabled to identify potential NTLM hash capture attempts.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef vulnerability fill:#ff9999 classDef file fill:#ccffcc %% Initial Access Stage vuln_psemhub["<b>Vulnerability</b><br/>CVE-2026-35273<br/>Exploitation of Oracle PeopleSoft<br/>Environment Management component (PSEMHUB)"] class vuln_psemhub vulnerability action_initial_access["<b>Action</b> – T1210: Exploitation of Remote Services<br/><b>Description</b>: Exploiting a zero-day RCE in PSEMHUB<br/>to gain initial access."] class action_initial_access action %% Command and Control Stage tool_meshcentral["<b>Tool</b> – MeshCentral<br/><b>Description</b>: Remote management server used for C2 staging.<br/><b>Type</b>: Remote Access Tool"] class tool_meshcentral tool tool_acme_client["<b>Tool</b> – acme-client (npm package)<br/><b>Description</b>: Automates SSL certificate provisioning<br/>for the masquerading domain azurenetfiles.net"] class tool_acme_client tool file_meshagent["<b>File</b> – meshagent64-azure-ops.exe<br/><b>Description</b>: Customized Windows MeshCentral agent<br/>used to facilitate remote management."] class file_meshagent file %% Reconnaissance Stage action_recon["<b>Action</b> – T1082: System Information Discovery<br/><b>Description</b>: Mapping Oracle PeopleSoft configurations<br/>and auditing network mounts."] class action_recon action tool_meshctrl["<b>Tool</b> – meshctrl.js<br/><b>Description</b>: MeshCentral command-line utility used for discovery."] class tool_meshctrl tool file_config_files["<b>Files Targeted</b><br/>psappsrv.cfg and WebLogic config.xml<br/>used for mapping configurations."] class file_config_files file %% Lateral Movement Stage action_lateral["<b>Action</b> – T1110.003: Brute Force: Password Spraying<br/><b>Description</b>: Performing SSH credential spraying<br/>against internal hosts."] class action_lateral action script_fanout["<b>File/Script</b> – [victim_abbreviation]_fanout.sh<br/><b>Description</b>: Custom bash script for credential spraying<br/>and propagation of extortion files."] class script_fanout file file_extort["<b>File</b> – README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT<br/><b>Description</b>: Defacement and extortion marker file."] class file_extort file %% Exfiltration Stage action_exfil["<b>Action</b> – T1560: Archive Collected Data<br/><b>Description</b>: Compressing stolen data before exfiltration."] class action_exfil action tool_zstd["<b>Tool</b> – zstd<br/><b>Description</b>: Utility used to compress exfiltrated directories."] class tool_zstd tool %% Connections Section %% Flow from vulnerability to access vuln_psemhub –>|exploited_via| action_initial_access %% Flow from access to C2 action_initial_access –>|establishes_C2| tool_meshcentral tool_meshcentral –>|uses| tool_acme_client tool_meshcentral –>|deploys| file_meshagent %% Flow to Reconnaissance tool_meshcentral –>|facilitates| action_recon action_recon –>|uses| tool_meshctrl action_recon –>|inspects| file_config_files %% Flow to Lateral Movement action_recon –>|leads_to| action_lateral action_lateral –>|executes| script_fanout script_fanout –>|propagates| file_extort %% Flow to Exfiltration script_fanout –>|leads_to| action_exfil action_exfil –>|uses| tool_zstd "
Attack Flow
Detections
Possible Mesh Agent RMM Software Installation Attempt (via registry_event)
View
Possible MeshAgent Utility Usage Attempt (via process_creation)
View
Linux Script Was Created In Temporary Folders (via file_event)
View
IOCs (HashSha256) to detect: ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
View
IOCs (SourceIP) to detect: ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
View
IOCs (DestinationIP) to detect: ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
View
Detection of ShinyHunters Propagation Script and Defacement Marker [Linux File Event]
View
Detect Oracle PeopleSoft PSEMHUB Exploitation by ShinyHunters [Webserver]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary aims to exploit the Oracle PeopleSoft vulnerability to gain unauthorized access or escalate privileges. First, they perform reconnaissance by sending POST requests to
PSEMHUB/hubto identify service availability. Second, they attempt to stage a web shell by writing a malicious.jspfile into thePSEMHUB.warapplication directory, specifically targeting theenvmetadata/transactions/path to hide their activity within legitimate-looking application metadata structures. -
Regression Test Script:
#!/bin/bash # Simulation Script for Oracle PeopleSoft PSEMHUB Exploitation echo "[+] Starting Simulation..." # 1. Trigger selection_webservice_requests (HTTP POST) echo "[+] Step 1: Sending malicious POST requests..." curl -X POST "http://localhost/PSEMHUB/hub" -d "cmd=exploit" curl -X POST "http://localhost/PSIGW/HttpListeningConnector" -d "cmd=exploit" # 2. Trigger selection_fs_operations (File Creation) echo "[+] Step 2: Creating malicious .jsp files in target directories..." # Ensure directory exists for simulation (in a real test, this is the target) mkdir -p /webserv/applications/peoplesoft/PSEMHUB.war/envmetadata/transactions/ # Create the malicious JSP file echo "<% out.println("Exploited"); %>" > /webserv/applications/peoplesoft/PSEMHUB.war/envmetadata/transactions/shell.jsp # Create another .jsp file under the war directory to test the wildcard match echo "<% out.println("Malicious"); %>" > /webserv/applications/peoplesoft/PSEMHUB.war/malicious.jsp echo "[+] Simulation Complete. Check SIEM for alerts." -
Cleanup Commands:
#!/bin/bash # Cleanup Script echo "[+] Cleaning up simulation artifacts..." rm -f /webserv/applications/peoplesoft/PSEMHUB.war/envmetadata/transactions/shell.jsp rm -f /webserv/applications/peoplesoft/PSEMHUB.war/malicious.jsp # Note: In production, do not delete directories, only the files created for testing. echo "[+] Cleanup finished."