ShinyHunters / UNC6240 Oracle PeopleSoft campaign (`key: shinyhunters-peoplesoft`)

The campaign behind the § 1 NAIC breach. GTIG/Mandiant attributes to UNC6240 an active zero-day exploitation of Oracle PeopleSoft (CVE-2026-35273) between May 27 and June 9, predating Oracle's advisory; staging environments deployed customised MeshCentral agents masquerading as cloud endpoints, then ran a per-victim [victim]_fanout.sh lateral-movement-and-defacement script (Google GTIG). ~300 PeopleSoft instances compromised, ~100 organisations notified, 68% higher education, with the University of Nottingham among the first named public victims (SecurityWeek). The status this week: NAIC confirmed (§ 1), and notifications are still landing, so more European education and public-finance victims are likely. The weekly lens: this is ShinyHunters operating as a zero-day-capable ERP attacker — a capability shift from the brand's 2021–2024 credential-stuffing persona. Outstanding question: which EU universities running PeopleSoft are in the un-notified tail.