INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ShinyHunters Exploits Oracle PeopleSoft Vulnerability
| 2026-06-11 14:00 LOW HIGHExecutive Summary AI-generated
The threat actors behind the "ShinyHunters" exploit, which targeted the Education sector with Oracle PeopleSoft exploitation, have been quietly expanding their reach. They began by extracting tactical telemetry data from critical infrastructure, including MeshCentral CLI utility commands to execute administrative command queries on compromised remote endpoints. This reconnaissance was followed by general document context and threat detail campaigns, highlighting open attacker directories for public threat reports. The attackers then triaged five sequential IP addresses, staging infrastructure hosting pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services. Their agents were hardcoded to establish communication with the command and control server, mimicking legitimate Microsoft Azure NetApp Files endpoints. Global notification response campaigns followed, alerting over 100 exposed organizations to restrict access to vulnerable endpoints. The attackers have been quietly expanding their reach since May 27, 2026, installing MeshCentral remote management servers and automating provisioning of Let's Encrypt SSL certificates for masquerading domains.
Technical Mitigations AI-generated
* Implement secure patching and vulnerability scanning for Oracle PeopleSoft systems to prevent similar exploits.
* Configure Linux systems with a strong firewall, intrusion detection system (IDS), and network access control (NAC) to block unauthorized incoming connections.
* Regularly update and patch software applications running on the staging servers, including MeshCentral and acme-client, to ensure they have the latest security patches.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Campaign OverviewCampaign OverviewCampaign
PriorCampaign
Prior
Target & Sectors
Global Scope
educationeducation
Incident Timeline
May 27, 2026
The threat actors used the MeshCentral remote management server (version 1.1.59) to establish a C2 staging environment on the ShinyHunters public clearnet mirror, which hosts Oracle PeopleSoft configurations and allows them to automate SSL certificate provisioning for azurenetfiles.net.
Click on any entity below to view its context and source!
infrastructure
1.1.59
On May 27, 2026, at 22:14 UTC, the attackers installed the MeshCentral remote management server (version 1.1.59) to establish their C2 staging environment.
organisation
UTC
On May 27, 2026, at 22:14 UTC, the attackers installed the MeshCentral remote management server (version 1.1.59) to establish their C2 staging environment.
observable
azurenetfiles.net
Staging Infrastructure Setup:
May 27, 2026, 22:14 UTC:
Installed MeshCentral (v1.1.59) and
22:25 UTC:
Installed "acme-client" to establish the C2 staging environment and automate SSL certificate provisioning for
azurenetfiles.net
.
organisation
SSL
Staging Infrastructure Setup:
May 27, 2026, 22:14 UTC:
Installed MeshCentral (v1.1.59) and
22:25 UTC:
Installed "acme-client" to establish the C2 staging environment and automate SSL certificate provisioning for
azurenetfiles.net
.
infrastructure
Windows
Staged the compiled Windows agent binaries (
meshagent32-azure-ops.exe
, etc.)
organisation
Oracle PeopleSoft
They mapped Oracle PeopleSoft configurations by inspecting mount points, checking the process scheduler configuration file
psappsrv.cfg
, and reading WebLogic server XML configurations (
config.xml
)
.
organisation
WebLogic
They mapped Oracle PeopleSoft configurations by inspecting mount points, checking the process scheduler configuration file
psappsrv.cfg
, and reading WebLogic server XML configurations (
config.xml
)
.
organisation
XML
They mapped Oracle PeopleSoft configurations by inspecting mount points, checking the process scheduler configuration file
psappsrv.cfg
, and reading WebLogic server XML configurations (
config.xml
)
.
organisation
SSH
The session log ends with the attackers establishing an outbound SSH connection from their staging system to
176.120.22.24
, which hosts the public clearnet mirror of the ShinyHunters DLS
.
organisation
ShinyHunters
The session log ends with the attackers establishing an outbound SSH connection from their staging system to
176.120.22.24
, which hosts the public clearnet mirror of the ShinyHunters DLS
.
May 29, 2026
The attackers used the MeshCentral CLI utility meshctrl.js to execute administrative command queries on compromised remote endpoints.
Click on any entity below to view its context and source!
organisation
CLI
2. Targeted Internal Reconnaissance:
Leveraged the MeshCentral CLI utility
meshctrl.js
to execute administrative command queries on compromised remote endpoints:
hostname; id
.
June 9 2026
Threat actors used an unconfigured Linux meshagent binary to target Higher Education organizations hosting open staging directories on Microsoft Azure NetApp servers.
Click on any entity below to view its context and source!
campaign
Campaign Overview
Threat Detail & Campaign Overview
On June 9 2026,
public threat reports
highlighted open attacker directories.
organisation
Threat Detail & Campaign Overview
On
Threat Detail & Campaign Overview
On June 9 2026,
public threat reports
highlighted open attacker directories.
organisation
Higher Education
These organizations are significantly concentrated in the Higher Education sector; 68 percent are academic institutions, including universities and colleges worldwide.
organisation
IP
GTIG triaged five sequential IP addresses:
142.11.200.186
,
142.11.200.187
,
142.11.200.188
,
142.11.200.189
, and
142.11.200.190
.
infrastructure
Windows
The staging infrastructure hosted pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services, specifically named
meshagent32-azure-ops.exe
,
meshagent64-azure-ops.exe
, and
meshagent64-v2.exe
.
MeshCentral is an open-source remote management server; its agent is software that runs on remote devices to allow for remote management across various operating systems, including Windows, Linux, macOS, and FreeBSD.
organisation
Microsoft Azure
The staging infrastructure hosted pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services, specifically named
meshagent32-azure-ops.exe
,
meshagent64-azure-ops.exe
, and
meshagent64-v2.exe
.
infrastructure
Linux
MeshCentral is an open-source remote management server; its agent is software that runs on remote devices to allow for remote management across various operating systems, including Windows, Linux, macOS, and FreeBSD.
An unconfigured Linux
meshagent
binary was also staged, suggesting that the threat actors passed parameters dynamically via the command line during deployment.
infrastructure
Macos
MeshCentral is an open-source remote management server; its agent is software that runs on remote devices to allow for remote management across various operating systems, including Windows, Linux, macOS, and FreeBSD.
organisation
MeshCentral
MeshCentral is an open-source remote management server; its agent is software that runs on remote devices to allow for remote management across various operating systems, including Windows, Linux, macOS, and FreeBSD.
organisation
Microsoft Azure NetApp
The domain
azurenetfiles.net
was chosen to mimic legitimate Microsoft Azure NetApp Files endpoints, a common masquerading tactic.
organisation
Global Notification Response Campaign
Prior
Global Notification Response Campaign
Prior to the discovery of the open staging directories, we began an effort to alert over 100 exposed organizations
to assist in restricting access to vulnerable endpoints.
victims
100 exposed organizations
Global Notification Response Campaign
Prior to the discovery of the open staging directories, we began an effort to alert over 100 exposed organizations
to assist in restricting access to vulnerable endpoints.
organisation
attacker command histories
These systems were hosting Python SimpleHTTP servers on port 8888, exposing directory contents that included staging materials, customized agents, and attacker command histories.
organisation
Technical Analysis & Command History
Technical Analysis & Command History
The exposed
.bash_history
file
, which was identical across all five staging hosts, outlines the server configuration and administrative actions.
2026/06/11
ShinyHunters exploited vulnerabilities in Oracle PeopleSoft to target the education sector on June 11, 2026.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
The staging infrastructure hosted pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services, specifically named
meshagent32-azure-ops.exe
,
meshagent64-azure-ops.exe
, and
meshagent64-v2.exe
.
MeshCentral is an open-source remote management server; its agent is software that runs on remote devices to allow for remote management across various operating systems, including Windows, Linux, macOS, and FreeBSD.
Staged the compiled Windows agent binaries (
meshagent32-azure-ops.exe
, etc.)
Metrics
infrastructure
Linux
Affected Product
MeshCentral is an open-source remote management server; its agent is software that runs on remote devices to allow for remote management across various operating systems, including Windows, Linux, macOS, and FreeBSD.
An unconfigured Linux
meshagent
binary was also staged, suggesting that the threat actors passed parameters dynamically via the command line during deployment.
Metrics
infrastructure
Macos
Affected Product
MeshCentral is an open-source remote management server; its agent is software that runs on remote devices to allow for remote management across various operating systems, including Windows, Linux, macOS, and FreeBSD.
Metrics
victims
100
Exposed Organizations
Global Notification Response Campaign
Prior to the discovery of the open staging directories, we began an effort to alert over 100 exposed organizations
to assist in restricting access to vulnerable endpoints.
Metrics
infrastructure
1.1.59
Software Version
On May 27, 2026, at 22:14 UTC, the attackers installed the MeshCentral remote management server (version 1.1.59) to establish their C2 staging environment.
Intelligence Sources
Mandiant
2026-06-11
Mandiant
2026-06-11
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
19x
organisation
Identified Entity
ShinyHunters Targets Education
entity
3x
timeline
Temporal Reference
June 9 2026
date
3x
infrastructure
Affected Product
Windows
software
2x
campaign
Campaign
Campaign Overview
operation
Contextual Telemetry
Context Block
8 METRICS
industry
Targeted Sector
Education
sector
general metric
Percent
68
percent
tactic
Cyber Operation Type
Reconnaissance
tactic
victims
Exposed Organizations
100
exposed organizations
infrastructure
Software Version
1.1.59
version
tactic
MITRE ATT&CK Technique
T1059.006 - Python
technique
general metric
Port
8,888
port
general metric
Case
1
case
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.