A Zero-Day in PeopleSoft Becomes an Extortion Engine
The extortion crew tracked as ShinyHunters has spent June turning a single Oracle vulnerability into one of the most productive data-theft campaigns of the year. The group exploited CVE-2026-35273, a remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools rated CVSS 9.8, that required no authentication and no user interaction. An attacker with network access over HTTP could run arbitrary commands on the application server. Oracle shipped a fix on June 10, but by then the door had been open for two weeks.
Mandiant, which tracks the activity cluster as UNC6240, says the bug was exploited as a zero-day between roughly May 27 and June 9. Mandiant CTO Charles Carmakal confirmed the flaw is being exploited in the wild, and the firm has identified more than 100 affected organizations. The attackers staged command-and-control through a domain named azurenetfiles.net, a deliberate attempt to blend into legitimate cloud traffic. PeopleTools versions 8.61 and 8.62 are the confirmed targets, and the fact that exploitation began so far ahead of the patch tells us the actors had real research depth, not opportunistic scanning.
Why Universities Took the Brunt
The victim profile is unusually concentrated. According to Mandiant, roughly 68 percent of the identified organizations are in higher education, the majority of them U.S.-based. The University of Nottingham is the largest confirmed case so far, with about 455,000 unique email addresses exposed across current students and alumni. The stolen records reportedly include names, postal addresses, phone numbers, passport numbers, and sensitive attributes such as ethnicity and disability status. For an institution, that is a near-complete identity profile for hundreds of thousands of people.
Universities are an easy mark for a reason. They run sprawling PeopleSoft deployments for student records, HR, and financials, often customized over a decade and rarely patched on day zero. Their security teams are chronically underfunded relative to the data they hold, and their internet-facing application footprint is large because faculty, students, and alumni all need remote access. We have argued before that ERP systems are the soft underbelly of large institutions, and this campaign is a textbook demonstration: one server-side bug in a system of record yields the entire population it serves.
The Council of Europe Adds a Geopolitical Dimension
On June 15, ShinyHunters listed the Council of Europe, the continent's leading human rights body, claiming the theft of more than 429,000 documents. The trove allegedly includes over 409,000 payslips covering more than 10,000 staff members and spanning records from 2011 to 2026. The exposed data reportedly contains names, dates of birth, home addresses, bank account details, salaries, employee IDs, medical records, and CVs. The group threatened to publish the files on June 16 if its demands were not met, and the Council confirmed it was investigating the claims.
This is where the campaign stops being a routine corporate breach. The Council of Europe oversees the European Court of Human Rights and works with activists, dissidents, and whistleblowers across 46 member states. A complete HR archive of its staff, including medical and financial records, is a counterintelligence asset, not just an extortion lever. Even if ShinyHunters is purely financially motivated, the data it holds could be sold or leaked into hands that are not. The targeting of an institution like this should reframe how policymakers think about who, exactly, profits when ERP systems fall.
Kodak and the Familiar Extortion Playbook
On the same June 15 listing, ShinyHunters named Kodak, alongside Sysco Corporation, where it claimed 61 million Salesforce records, and Houston City College in Texas. Kodak subsequently confirmed a data breach, with the group threatening to leak roughly 2.2 million records. The pattern across all of these victims is consistent: name the target on a Tor-hosted leak portal, set a short deadline, and dare the organization not to pay. When 7-Eleven missed its April 21 deadline, the group published a 9.4-gigabyte archive the next day. The threat is credible because the follow-through is documented.
What stands out in 2026 is the industrialization of the model. ShinyHunters has chained together a misconfigured Salesforce Experience Cloud campaign, the Oracle PeopleSoft zero-day, and earlier hits on Instructure Canvas and Charter Communications into a continuous pipeline. The group has effectively built a breach factory where the entry technique rotates but the monetization stays the same. That repeatability is the real lesson. Defenders who treat each incident as isolated will keep losing to an adversary that treats them as one long campaign.
What Defenders Should Do This Week
The immediate action is unambiguous: apply Oracle's June 10 PeopleTools update for versions 8.61 and 8.62, and treat any unpatched, internet-facing PeopleSoft instance as presumed compromised. Because exploitation predates the patch by weeks, patching alone is insufficient. Teams should hunt for the azurenetfiles.net indicator, review web server and application logs from late May onward for anomalous HTTP requests, and audit for unexpected administrative activity or new accounts. PeopleSoft application servers should be assumed to have been a staging point for credential and data theft until proven otherwise.
Longer term, this campaign is an argument for shrinking the attack surface of systems of record. PeopleSoft, Salesforce Experience Cloud, and similar platforms do not belong on the open internet without strong network controls, web application firewalls tuned to the product, and aggressive monitoring. We would also push organizations to inventory exactly what sensitive data their ERP and CRM systems hold, because the breach disclosures here suggest many victims did not fully grasp the blast radius until ShinyHunters told them. You cannot defend data you have not catalogued.
