ctipilot.ch

Home · Live brief · Weekly 2026-W27

ShinyHunters / UNC6240 Oracle PeopleSoft campaign

notable synthesis discovered 2026-06-29 00:21 UTC

Entities: ShinyHunters

Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))

The campaign behind the § 1 NAIC breach. GTIG/Mandiant attributes to UNC6240 an active zero-day exploitation of Oracle PeopleSoft (CVE-2026-35273) between May 27 and June 9, predating Oracle's advisory; staging environments deployed customised MeshCentral agents masquerading as cloud endpoints, then ran a per-victim [victim]_fanout.sh lateral-movement-and-defacement script (Google GTIG). ~300 PeopleSoft instances compromised, ~100 organisations notified, 68% higher education, with the University of Nottingham among the first named public victims (SecurityWeek). The status this week: NAIC confirmed (§ 1), and notifications are still landing, so more European education and public-finance victims are likely. The weekly lens: this is ShinyHunters operating as a zero-day-capable ERP attacker — a capability shift from the brand's 2021–2024 credential-stuffing persona. Outstanding question: which EU universities running PeopleSoft are in the un-notified tail.

“The campaign behind the § 1 NAIC breach.” — ctipilot v2 brief (migrated)

data-breach zero-day actively-exploited organized-crime global us europe CVE-2026-35273