ShinyHunters — Enterprise Resource Planning Under Attack

What Is Happening?

ShinyHunters, a financially motivated extortion group with a long track record of large-scale data theft, has pivoted its operations toward enterprise resource planning (ERP) infrastructure. The group is actively targeting organisations running Oracle PeopleSoft, the suite used by large businesses and universities to manage HR, payroll, finance, and student records.

According to claims shared with BleepingComputer and TechCrunch, the group has compromised 300 PeopleSoft instances across more than 100 organisations, with educational institutions making up the majority of known victims. The attacks affect both cloud-hosted and on-premises deployments.

How the Attack Works

ShinyHunters is using what they describe as a "gadget chain", a combination of older, known vulnerabilities chained together with at least one previously unknown zero-day. Oracle has now confirmed and patched that zero-day, tracked as CVE-2026-35273: a critical remote code execution flaw in PeopleSoft PeopleTools versions 8.61 and 8.62 that an unauthenticated attacker can exploit over the network.

Once inside a PeopleSoft environment, the attackers:

• Perform credential spraying against common PeopleSoft and Oracle administrative accounts
• Attempt SSH access, falling back to key-based authentication if password attempts fail
• Exfiltrate sensitive data: HR records, payroll data, student information, and Social Security numbers
• Leave ransom notes directly on breached servers and attempt lateral movement to other connected PeopleSoft instances

Some IP addresses used in the campaign carry TLS certificates previously associated with ShinyHunters, giving threat researchers high confidence in attribution.

Known Victims

In June 2026, the University of Nottingham confirmed it suffered a cybersecurity incident linked to this PeopleSoft campaign. ShinyHunters claimed the breach and leaked tens of gigabytes of stolen data, including personal and academic records for nearly half a million current and former students.

Ralph Lauren Corporation and media company Nexstar are among the victims listed, with ShinyHunters claiming access to HR and payroll data held in their PeopleSoft environments.

The broader pattern is clear: no sector is off-limits. Higher education, retail, media, and financial services organisations all rely on PeopleSoft, and all are being actively scanned and targeted.

What You Should Do

1. Apply the Oracle patch immediately

   Oracle's out-of-band advisory addresses CVE-2026-35273 and is available through the Oracle support portal. If you cannot patch right now, apply Oracle's documented mitigations without delay.
2. Audit administrative credentials

   Rotate all PeopleSoft and Oracle admin account passwords, eliminate shared or default credentials, and enforce unique, complex passwords across every account.
3. Enable multi-factor authentication (MFA)

   Enable MFA on every PeopleSoft and Oracle administrative interface where it is supported.
4. Restrict public exposure

   PeopleSoft instances should not be directly reachable from the internet without a VPN or strong network-layer controls. Review your firewall rules now.
5. Audit SSH key access

   Review which keys have access to your PeopleSoft servers and revoke any that are unnecessary or unrecognised.
6. Hunt for indicators of compromise

   Look for ransom notes placed on servers, unusual outbound data transfers, and authentication attempts from unfamiliar IP addresses or with common default credentials.
7. Monitor for credential exposure

   Compromised employee credentials have been the initial foothold across multiple confirmed victims. Ensure you have ongoing monitoring in place for leaked credentials associated with your organisation's domains.