Executive Summary
On 10 June 2026, BleepingComputer reported that Oracle PeopleSoft servers are allegedly being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations. PeopleSoft is an enterprise business software suite used by large organizations to manage HR, payroll, finance, supply chain, procurement, and student administration.
Key Takeaways
- Scale & Attribution: The attacks target both cloud and on-premises Oracle PeopleSoft instances, with ShinyHunters confirming they are behind the attacks and claiming to have stolen data from 300 instances across more than 100 organizations.
- Attack Method: ShinyHunters says they are using a “gadget chain” of old and zero-day vulnerabilities, though they note the attack does not work on all systems and believe exploitation success may depend on how an instance is configured.
- Primary Targets: Most of the organizations impacted are in the education sector, with many having been previously extorted by the threat actor.
- Known Victim: ShinyHunters confirmed Nottingham University as a victim, with its data already published on their leak site. The University released a statement acknowledging a cybersecurity incident.
- Attack Mechanics: Exposed servers revealed a shell script designed to drop a ransom note on breached PeopleSoft servers. The script parses /etc/hosts to identify PeopleSoft-related systems, attempts SSH connections using common admin accounts such as psoft, oracle, and linuxadm, falls back to SSH key-based authentication if passwords fail, and then drops the ransom note into PeopleSoft web and application server directories.
Indicators of Compromise (IoCs)
IP Addresses (obfuscated):
- 142.11.200[.]186
- 142.11.200[.]187
- 142.11.200[.]188
- 142.11.200[.]189
- 142.11.200[.]190
- 108.174.202[.]99
- 176.120.22[.]24
Several of these IPs use a TLS certificate with the common name azurenetfiles[.]net, a domain previously linked to the ShinyHunters extortion gang.
File Path / Network Artifact:
A ransom note file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT is dropped on internal PeopleSoft servers upon successful breach.
Mitigation Options
Organizations running Oracle PeopleSoft are advised to analyze logs for any connections from the above IP addresses. If these IoCs are found, immediately begin incident response, investigate whether the PeopleSoft instance was compromised, and consider temporarily removing affected servers from internet access until the environment can be secured and reviewed.
