ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit

MITRE Techniques

• [T1190 ] Exploit Public-Facing Application – The attackers exploited Oracle PeopleSoft endpoints exposed to the internet through the Environment Management Hub and related services (‘the exploitation of CVE-2026-35273… targeting of Environment Management Hub (PSEMHUB) endpoints’).
• [T1068 ] Exploitation for Privilege Escalation – The zero-day vulnerability in the Environment Management component provided remote code execution on the target system (‘a critical remote code execution vulnerability (CVSS 9.8)’).
• [T1036 ] Masquerading – The attackers disguised MeshCentral agents and domains as legitimate Microsoft Azure services to hide malicious infrastructure (‘masquerading as legitimate cloud endpoints’, ‘azurenetfiles.net was chosen to mimic legitimate Microsoft Azure NetApp Files endpoints’).
• [T1105 ] Ingress Tool Transfer – Custom agent binaries and scripts were staged on attacker-controlled servers and deployed to victims (‘staged the compiled Windows agent binaries’, ‘wrote the lateral propagation script’).
• [T1021.004 ] Remote Services: SSH – The propagation script used SSH to authenticate to internal hosts and copy files (‘sshpass… ssh…’).
• [T1021.006 ] Remote Services: Windows Remote Management – MeshCentral was used to issue remote administrative commands to compromised endpoints (‘execute administrative command queries’, ‘RunCommand’).
• [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The attackers ran shell commands and a Bash propagation script on staging and victim systems (‘bash /tmp/[victim_abbreviation]_fanout.sh’, ‘.bash_history’).
• [T1219 ] Remote Access Software – MeshCentral remote management agents and server were used to maintain control over compromised systems (‘installed the MeshCentral remote management server’, ‘MeshCentral agent’).
• [T1082 ] System Information Discovery – The threat actors enumerated host and system details (‘hostname; id’).
• [T1016 ] System Network Configuration Discovery – They inspected mounts, hosts files, and configuration files to map internal infrastructure (‘mount | grep’, ‘cat /etc/hosts’, ‘psappsrv.cfg’).
• [T1005 ] Data from Local System – They read local configuration files and command history to collect internal information (‘reading WebLogic server XML configurations’, ‘exposed .bash_history file’).
• [T1021.001 ] Remote Services: Remote Desktop Protocol – Not directly mentioned; omitted.
• [T1027 ] Obfuscated Files or Information – The attacker domain and agent names were crafted to blend in and conceal malicious purpose (‘disguised as Microsoft Azure services’).
• [T1106 ] Native API – Not explicitly present; omitted.
• [T1041 ] Exfiltration Over C2 Channel – Stolen data was compressed and then connected to the ShinyHunters DLS host (‘Compressed exfiltrated directories’, ‘outbound SSH connection to 176.120.22.24’).
• [T1070.004 ] File Deletion – The article mentions verifying defacement markers and staging activity, but no clear deletion is described; omitted.
• [T1565.001 ] Data Manipulation: Stored Data Manipulation – The script copied defacement/extortion marker files into application directories to alter visible content (‘copies a defacement and extortion marker file’).