Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks

Summary

The ShinyHunters extortion gang is actively targeting Oracle PeopleSoft servers, claiming to have stolen data from over 100 organizations using a mix of old and zero-day vulnerabilities. The attacks primarily impact the education sector, with Nottingham University acknowledging a breach and having data leaked. Researchers have identified associated IP addresses and tooling, including MeshCentral agents and a credential spray script, used in these ongoing data theft operations.

Full text

Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks By Lawrence Abrams June 10, 2026 02:31 PM 0 Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations. PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration. Yesterday, BleepingComputer learned of widespread data theft attacks targeting both cloud and on-premises Oracle PeopleSoft customer instances.These customers were receiving extortion demands that were signed by the ShinyHunters extortion gang. Today, the threat actor confirmed to BleepingComputer that they were behind the attacks, claiming to have stolen data from 300 instances across more than 100 organizations. ShinyHunters says they are using a "gadget chain" of old and zero-day vulnerabilities to conduct the attacks. However, they state that their attack is not working on all systems and believe that exploitation success may depend on how an instance is configured. BleepingComputer contacted Oracle this morning to ask whether it is aware of an Oracle PeopleSoft zero-day being exploited in data theft attacks, but had not received a reply at this time. According to the threat actor, most of the organizations impacted by these attacks are in the education sector, with many previously extorted by the threat actor. They claim their initial goal was to breach an FBI portal running PeopleSoft to "publish a statement and set the record straight on some misinsformation that has been spreading." However, they said their attack was not successful, and they were unable to gain access to the instance. The threat actor told BleepingComputer that Nottingham University is a victim of these attacks, and that its data has already been published on the ShinyHunters data leak site. The University also released a statement today, acknowledging that it suffered a cybersecurity incident. While Oracle has not publicly disclosed any information about these attacks, cybersecurity researcher "Michael R" found several exposed online directories containing tooling related to this attack. "ShinyHunters, (or a group impersonating them) exposed several directories revealing ongoing targeting of PeopleSoft (Enterprise Resource Planning software) environments," the researcher posted. "Also visible were staging materials, including MeshCentral agents, and a defacement and credential spray script." The researcher shared the following IP addresses as IOCs related to these attacks: 142.11.200[.]186 142.11.200[.]187 142.11.200[.]188 142.11.200[.]189 142.11.200[.]190 108.174.202[.]99 176.120.22[.]24 Some of these IP addresses used a TLS certificate that has a common name of "azurenetfiles[.]net," which is a domain previously linked to the ShinyHunters extortion gang. Five of the servers exposed a .bash_history file that gave some insight into the attacks, including a shell script designed to create a ransom note named "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" on an internal PeopleSoft server after it is breached. ShinyHunters scriptSource: Michael R The script parses the /etc/hosts to identify PeopleSoft-related systems and attempts to connect to them over SSH using common PeopleSoft and Oracle administrative accounts such as 'psoft', 'oracle', and 'linuxadm'. If password authentication fails, the script attempts to use SSH key-based authentication as a fallback. Once connected, the script drops the ransom note into directories associated with PeopleSoft web and application servers. If you are running Oracle PeopleSoft, it is strongly advised that you analyze logs for any connections from the above IP addresses to determine whether you were targeted in these attacks. If these IOCs are found, organizations should immediately begin incident response, investigate whether their PeopleSoft instance was compromised, and consider temporarily removing affected servers from internet access until the environment can be secured and reviewed. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: 7-Eleven confirms data breach claimed by the ShinyHunters gangVideo service Vimeo confirms Anodot breach exposed user dataSnowflake customers hit in data theft attacks after SaaS integrator breachSilent Ransom Group targets law firms with fake IT support callsCharter Communications data breach affects 4.9 million accounts

Indicators of Compromise

• ip — 142.11.200.186
• ip — 142.11.200.187
• ip — 142.11.200.188
• ip — 142.11.200.189
• ip — 142.11.200.190
• ip — 108.174.202.99
• ip — 176.120.22.2
• domain — azurenetfiles.net

Entities