Friday Threat Brief: ShinyHunters Are Still Inside PeopleSoft, Warlock Ransomware Is Riding SharePoint, and ColdFusion Just Dropped Six Perfect 10s. Three Crews, One Weekend.
- Patrick Duggan
- 1 minute ago
- 4 min read
It is Friday night, Central time, and three separate crews are working three separate doors into your estate. That is not a coincidence of the calendar — extortion operations prefer the weekend precisely because your team is not watching. Here is what is live right now, why each one matters, and what to do before Monday. Held to about ninety-five percent, and where the work is someone else's, it is credited.
1. ShinyHunters are still inside PeopleSoft — and there's a second CVE now
We have been documenting ShinyHunters' transformation all spring: the crew that built its name on phone calls to the help desk — social-engineering an Okta MFA reset and walking out with a Salesforce CSV — stopped waiting for other people's breaches and started writing its own exploits. In June we covered their Oracle PeopleSoft zero-day, [CVE-2026-35273](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-35273), used against 100-plus organizations, two-thirds of them the schools we watched them hit in May, and we covered Oracle's patch for it on June 25.
The weekend update: the campaign is not over, and there is a second flaw now in active exploitation — [CVE-2026-35278](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-35278), a pre-authentication RCE in PeopleSoft PeopleTools, CVSS 9.8, chained with the -35273 we already documented to take an unauthenticated attacker all the way to the application server and the host underneath it. Internet-facing PeopleSoft and the WebLogic instances behind it are emergency-priority tonight, not Monday's ticket. This is the same crew, the same lane, one rung further down the stack. If you run PeopleSoft, assume the door has been tried.
Do this weekend: patch to Oracle's fixed PeopleTools release, pull internet-facing PeopleSoft/WebLogic behind a VPN or off the public internet if you cannot patch tonight, and hunt for unexplained processes and file writes on the app server. Primary attribution to Mandiant (UNC6040) and Oracle's advisory; the campaign tracking and the school-victim receipts are ours, running since April.
2. Storm-2603 is dropping Warlock ransomware through SharePoint
This is the ransomware half of the weekend, and it is the one that ends with your files encrypted. [CVE-2026-45659](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-45659) is a deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server — any authenticated user with Site Member permissions can execute code remotely. CISA added it to the Known Exploited Vulnerabilities catalog on July 2 on confirmed in-the-wild exploitation, and the crew running it, Storm-2603, is using it to deploy Warlock ransomware.
Warlock is a name we know — it is a beat we have been writing, and the operational pattern is the classic one: an internet-reachable management or collaboration surface, a foothold, lateral movement, and encryption over a weekend when nobody is at the console. SharePoint on-prem is exactly the kind of long-lived, deferred-patch box that this thrives on. The disclosure and the ransomware attribution belong to Microsoft's threat teams and CISA; what we add is the placement — this is one more entry in the cluster we have been mapping all year, the top crews converging on the management and collaboration plane as the initial-access commodity of 2026.
Do this weekend: apply the SharePoint fix now. If you cannot, restrict SharePoint to the internal network, tighten Site Member permissions, and watch for the pre-encryption tells — new admin accounts, security tooling being disabled, unusual outbound to unfamiliar hosts. A SharePoint box making connections it never made before has already been asked to.
3. ColdFusion just shipped six CVSS 10.0s
Adobe released patches for eleven critical ColdFusion vulnerabilities, six of them carrying the maximum CVSS 10.0 — every one an unauthenticated remote attacker executing arbitrary code on the ColdFusion server. The federal deadline on the KEV-listed items in this neighborhood was today. ColdFusion is another one of those quiet, under-inventoried application servers that sits on the edge of an estate for years after everyone forgot it was there — which is exactly why it keeps ending up on this list.
Do this weekend: inventory whether you even run ColdFusion (a lot of shops do and have forgotten), and if you do, patch to Adobe's fixed build immediately. A perfect-10 unauthenticated RCE is the highest-priority class of bug there is, and six of them at once is not a drill.
The through-line
Line the three up and it is the same shape we have been naming all year: an ERP app server, a collaboration server, a web app server — machinery your organization deployed to run itself, turned into pre-authenticated or trivially-authenticated control of it for someone else, and three different crews reaching for it on the same Friday night. The defensive move is not vendor-by-vendor whack-a-mole. It is to inventory by function — every internet-reachable app, ERP, collaboration, and admin surface — and treat that list as your real attack surface this weekend, because the crews already are.
Patch the three. Then go enjoy your Saturday, because they are counting on you not to.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
