Published Thursday, June 11, 2026 at 03:55 PM PT

BREAKING: ShinyHunters (UNC6240) Actively Exploiting Oracle PeopleSoft in Education Sector Extortion Campaign

BLUF: Mandiant and Google Threat Intelligence Group have confirmed an active compromise and extortion campaign by ShinyHunters (tracked as UNC6240) targeting Oracle PeopleSoft infrastructure in the education sector. Organizations running Oracle PeopleSoft should treat this as an active threat and audit systems immediately.

DETAILS

  • Mandiant and Google Threat Intelligence Group (GTIG) jointly attributed the campaign to UNC6240, a threat actor publicly known as ShinyHunters, a group with a documented history of large-scale data theft and extortion operations.
  • The campaign specifically targets Oracle PeopleSoft application infrastructure β€” widely deployed across universities and higher education institutions for HR, finance, and student data management.
  • The activity involves both compromise and extortion, indicating data exfiltration is likely occurring or has occurred prior to ransom demands being issued.
  • NOTE: Specific CVE identifiers, exploit technical details, and confirmed victim count have not been confirmed in available source material at this time β€” treat those details as pending.
  • ShinyHunters has previously been linked to high-volume credential theft and data broker activity; education sector targeting aligns with the group’s history of pursuing large repositories of PII.

IMPACT

  • Primary targets: Higher education institutions and universities running Oracle PeopleSoft for ERP, HCM, or student information systems.
  • Data at risk: Student records, employee PII, financial data, and authentication credentials stored within PeopleSoft environments.
  • Scope: Confirmed active campaign β€” not a historical or theoretical threat. Extortion component suggests victims may face public data exposure or sale if demands are not met.
  • Secondary risk: Institutions using PeopleSoft in healthcare, government, or enterprise contexts should also elevate monitoring posture pending further scope clarification.
  1. Immediately audit Oracle PeopleSoft internet-facing instances for signs of unauthorized access, anomalous queries, or privilege escalation.
  2. Review and restrict external access to PeopleSoft portals β€” enforce MFA where not already in place.
  3. Check Oracle patch status β€” ensure all available PeopleSoft security patches are applied; prioritize any recent Critical Patch Update (CPU) advisories.
  4. Hunt for indicators β€” engage threat intelligence feeds for UNC6240/ShinyHunters IOCs; Mandiant customers should query GTIG directly for campaign-specific indicators.
  5. Activate incident response protocols if anomalous access is detected β€” do not delay pending full investigation.
  6. Notify legal and compliance teams proactively given the extortion component and likely PII exposure.

SOURCES

  • Mandiant / Google Threat Intelligence Group (GTIG) β€” active campaign attribution
  • Source detail on specific exploit mechanism and full victim scope: PENDING β€” monitor Mandiant and Oracle Security Advisories for updates