EXECUTIVE SUMMARY:
A cyber intrusion campaign attributed to the ShinyHunters group has been observed exploiting CVE-2026-35273, a zero-day vulnerability in Oracle PeopleSoft environments, before security updates became available. The attackers targeted internet-facing systems to gain unauthorized access, steal sensitive organizational data, and conduct extortion operations. The campaign highlights the growing trend of threat actors exploiting newly discovered vulnerabilities immediately after disclosure, leaving organizations vulnerable if compromise occurred before patch deployment.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A cyber intrusion campaign attributed to the ShinyHunters group has been observed exploiting CVE-2026-35273, a zero-day vulnerability in Oracle PeopleSoft environments, before security updates became available. The attackers targeted internet-facing systems to gain unauthorized access, steal sensitive organizational data, and conduct extortion operations. The campaign highlights the growing trend of threat actors exploiting newly discovered vulnerabilities immediately after disclosure, leaving organizations vulnerable if compromise occurred before patch deployment.[emaillocker id="1283"]
The attackers exploited a remotely accessible vulnerability affecting enterprise application infrastructure, enabling unauthenticated remote code execution against exposed management endpoints. Following initial access, they executed commands on compromised servers, established persistence, harvested sensitive organizational data, and exfiltrated information for extortion purposes. Because exploitation occurred before public disclosure and patch deployment, organizations that later applied security updates may still have experienced unauthorized access. Security teams are therefore encouraged to conduct retrospective log analysis, review indicators of compromise, inspect historical network and endpoint activity, and validate that no malicious artifacts or unauthorized access remain within their environments.
This campaign demonstrates that patching alone is not sufficient when responding to zero-day attacks. Organizations should complement timely vulnerability remediation with proactive threat hunting, historical log reviews, endpoint investigations, and continuous monitoring to determine whether compromise occurred before updates were applied. Combining rapid patch management with comprehensive incident response and detection capabilities significantly improves resilience against future zero-day exploitation and data extortion campaigns.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Reconnaissance | T1595.002 | Active Scanning | Vulnerability Scanning |
| Initial Access | T1190 | Exploit Public-Facing Application | - |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1505.003 | Server Software Component | Web Shell |
| T1543.003 | Create or Modify System Process | Windows Service | |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | - |
| Stealth | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| T1027.010 | Obfuscated Files or Information | Command Obfuscation | |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Discovery | T1082 | System Information Discovery | - |
| T1018 | Remote System Discovery | - | |
| Lateral Movement | T1021.002 | Remote Services | SMB/Windows Admin Shares |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1219.002 | Remote Access Tools | Remote Desktop Software |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| Impact | T1657 | Financial Theft | - |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]