ShinyHunters Built Their Name on Phone Calls to the Help Desk. Now They Have a 9.8 Oracle Zero-Day, 100+ Breached Orgs, and Two-Thirds Are the Schools We Watched Them Hit in May.

For two months we have been documenting ShinyHunters as a crew that does not, on the whole, exploit software. Their signature move — the one we wrote about when they hit six named companies in seven days in April — was a phone call. Someone rings a help desk claiming to be an employee, asks for a multi-factor reset on the Okta single sign-on, the help desk obliges, and the attacker walks into the company's Salesforce instance and exports the customer file as a CSV. No CVE. No payload. A confident voice and a help-desk worker trying to be helpful. That is identity-based intrusion, and it is most of what built the ShinyHunters name in 2025 and 2026. This week the crew changed weapons, and the change is the story.

The New Weapon: [CVE-2026-35273](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-35273)

Oracle pushed an out-of-band emergency security alert this week for CVE-2026-35273, a remote code execution vulnerability in PeopleSoft Enterprise PeopleTools rated CVSS 9.8. It lives in the Updates Environment Management component of PeopleTools versions 8.61 and 8.62, it is reachable remotely over HTTP, and it requires no authentication, no privileges, and no user interaction. Those properties mean an attacker who can reach an internet-facing PeopleSoft instance can take it over outright — the same no-auth-no-click profile that makes a bug a first-pick. The flaw was found by researchers at Trend Zero Day Initiative, and Oracle's out-of-band timing — not waiting for a quarterly Critical Patch Update — is the tell that this one was already burning when the patch shipped.

It was. ShinyHunters claim they targeted roughly three hundred PeopleSoft instances across more than a hundred organizations, chaining older PeopleSoft bugs with the zero-day to reach the data inside. This time the claim is not just a forum post. Google's threat intelligence group corroborated it, reporting malicious activity consistent with exploitation of CVE-2026-35273 between May 27 and June 9 and notifying more than a hundred organizations directly. That two-week window matters: the exploitation predates the public patch by days, which is the definition of a zero-day campaign rather than opportunistic post-patch scanning.

Why This Is Ours: They Went Where We Said The Bulk PII Lives

The detail that should stop you is the victim profile. Google reports that the majority of the affected organizations are in the United States, and roughly sixty-eight percent are in higher education. We have been pointing at exactly that sector for this exact actor. In May we published a post about ShinyHunters claiming Instructure Canvas — the learning management system — in a breach touching roughly two hundred seventy-five million student, teacher, and staff records across nearly nine thousand institutions, alongside Cushman & Wakefield and an NVIDIA partner in Armenia. The throughline of all of our ShinyHunters coverage, from the adversary profile in our index to the victim lists we reconstructed from infrastructure, is a single thesis: this crew goes where large stores of personal data are concentrated and weakly defended, and the education sector is the softest large concentration of personal data in the country. PeopleSoft runs the human-resources, student-records, and financials backends for a huge share of universities. A no-auth RCE in PeopleSoft is a skeleton key to precisely the buildings we said ShinyHunters keeps walking into. The University of Nottingham is the confirmed case so far — forty gigabytes of personal data and billing records stolen and posted to the crew's leak site — and on the numbers it is unlikely to be alone for long.

The Capability Shift Is The Headline

Threat-actor profiles are sticky, and that stickiness is a defender's blind spot. If your model of ShinyHunters is "they social-engineer help desks," your defenses look like phishing-resistant MFA, help-desk callback verification, and Okta hardening — all correct, all useless against an unauthenticated RCE in an internet-facing application server. The crew that needed a human to make a mistake now has a bug that needs no human at all. This is the same lesson we keep writing in different costumes: an actor is not a fixed set of techniques, it is an organization that acquires new ones, and the moment you treat last quarter's playbook as this quarter's threat model you have handed them the gap. ShinyHunters adding a 9.8 zero-day to a repertoire previously built on phone calls is exactly that kind of acquisition, and it widens their reachable target set from "companies with a phishable help desk and a Salesforce tenant" to "anyone running an exposed PeopleSoft instance."

The Takedown Was The Easy Part. Again. Within A Week.

There is a timing detail here that is almost too on the nose. Six days ago we published a post titled around a single argument: federal law enforcement shuttered the data-leak site ShinyHunters built to extort the thirty-nine companies in their Salesforce campaign, and conflating that takedown with a win is the mistake that lets the next leak site go up next week. We wrote that on June 5. The exploitation window Google documented runs May 27 to June 9. The crew whose leak site got shuttered was, during and after that takedown, running a zero-day campaign against a hundred-plus organizations and standing up fresh leak-site posts for the victims. The disruption was real and the agents earned their day. It also relocated nothing, because a takedown removes infrastructure and not capability, and capability is what just breached a hundred universities. We did not have to wait long for the demonstration.

What A Defender Does

If you run PeopleSoft, treat this as the emergency Oracle's out-of-band alert says it is: apply the CVE-2026-35273 fix for PeopleTools 8.61 and 8.62 now, and if you cannot patch immediately, get internet-facing PeopleSoft instances off the open internet — behind a VPN, an authenticating reverse proxy, or an IP allowlist — because the bug's entire premise is unauthenticated reachability over HTTP. Then assume the window, not just the patch: the documented exploitation runs from May 27, so hunt backward across that period for anomalous access to the Updates Environment Management component, unexpected processes spawned by the PeopleSoft application server, and large outbound transfers from the database tier. Check the crew's leak site for your own name, because in this campaign the first notification a victim got was sometimes Google's phone call and sometimes the extortion post. And update your model of the actor: if your ShinyHunters defenses stop at the help desk, they stop one move too early now. The crew reads its own press, sees which doors are being watched, and buys a new key. This week the key was an Oracle zero-day. Our harvester is watching GitHub for the public proof-of-concept that turns this from a hundred-victim campaign into a commodity one — and when it lands, the only number that will matter is how many of your PeopleSoft instances are still reachable from the open internet.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register