Published Monday, June 22, 2026 at 07:08 PM PT

BREAKING SECURITY ALERT โ€” SHINYHUNTERS ACTIVELY EXPLOITING ORACLE PEOPLESOFT IN EDUCATION SECTOR CAMPAIGN

BLUF: Threat actor ShinyHunters (tracked as UNC6240) is conducting an active compromise and extortion campaign targeting Oracle PeopleSoft applications, with confirmed focus on the education sector. Organizations running Oracle PeopleSoft should treat this as an active threat and audit exposure immediately.

DETAILS

  • Attribution confirmed: Mandiant and Google Threat Intelligence Group (GTIG) have jointly attributed this campaign to UNC6240, a threat actor publicly known as ShinyHunters โ€” a group with a documented history of large-scale data theft and extortion operations.
  • Attack vector: The campaign exploits Oracle PeopleSoft applications. Specific CVE(s) involved have not been confirmed in available reporting at this time โ€” treat all PeopleSoft deployments as potentially at risk pending further disclosure.
  • Campaign nature: Described as an active compromise and extortion campaign, indicating data exfiltration and ransom demands are likely components. Exact extortion methodology is not yet confirmed in available details.
  • Sector targeting: Education sector organizations are the confirmed primary target. Whether additional sectors are affected is not confirmed at this time.
  • Source credibility: Attribution and campaign details originate from Mandiant and GTIG โ€” high-confidence sources with direct incident response visibility.

IMPACT

  • Who is affected: Higher education institutions and K-12 organizations running Oracle PeopleSoft โ€” commonly used for student information systems (SIS), HR, and financial management.
  • Data at risk: PeopleSoft environments in education typically contain highly sensitive PII including student records, financial aid data, employee records, and Social Security Numbers.
  • Scope: Campaign is described as active. Scope of confirmed victim count is not available in current reporting.
  1. Audit immediately: Identify all Oracle PeopleSoft instances in your environment, including internet-facing deployments and administrative portals.
  2. Restrict access: Limit external access to PeopleSoft interfaces where operationally feasible; enforce MFA on all administrative accounts.
  3. Patch posture review: Verify all available Oracle PeopleSoft patches and CPU (Critical Patch Update) releases are applied โ€” prioritize any recent updates.
  4. Hunt for indicators: Engage threat hunting for anomalous authentication, data staging, or exfiltration activity within PeopleSoft environments. Contact Mandiant/GTIG for IOCs if available through your threat intel subscriptions.
  5. Incident response readiness: If compromise is suspected, isolate affected systems and engage IR resources. Do not negotiate with threat actors without legal counsel.
  6. Notify stakeholders: If student or employee data may be affected, begin preliminary breach notification assessment per applicable regulations (FERPA, state breach laws).

โš ๏ธ UNCERTAINTY FLAG: Specific CVE(s) being exploited, full IOC sets, and confirmed victim count are not available in current reporting. This alert will require update as Mandiant/GTIG release additional technical details.

SOURCES

  • Mandiant / Google Threat Intelligence Group (GTIG) โ€” Active campaign reporting on UNC6240
  • Google Threat Intelligence feed (trigger source)