Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks

“Also visible were staging materials, including MeshCentral agents, and a defacement and credential spray script.” The researcher shared the following IP addresses as IOCs related to these attacks: 142.11.200[.]186 142.11.200[.]187 142.11.200[.]188 142.11.200[.]189 142.11.200[.]190 108.174.202[.]99 176.120.22[.]24 Some of these IP addresses used a TLS certificate that has a common name of “azurenetfiles[.]net,” which is a domain previously linked to the ShinyHunters extortion gang. The ShinyHunters gang is exploiting a combination of old and zero-day vulnerabilities, referred to as a “gadget chain,” to target both cloud and on-premises Oracle PeopleSoft instances.

The Issue

“ShinyHunters, (or a group impersonating them) exposed several directories revealing ongoing targeting of PeopleSoft (Enterprise Resource Planning software) environments,” the researcher posted.

Further details indicate that bleepingComputer contacted Oracle this morning to ask whether it is aware of an Oracle PeopleSoft zero-day being exploited in data theft attacks, but had not received a reply at this time.

They claim their initial goal was to breach an FBI portal running PeopleSoft to “publish a statement and set the record straight on some misinsformation that has been spreading.” However, they said their attack was not successful, and they were unable to gain access to the instance.

While Oracle has not publicly disclosed any information about these attacks, cybersecurity researcher “Michael R” found several exposed online directories containing tooling related to this attack.

“publish a statement and set the record straight on some misinsformation that has been spreading.”, Spokesperson

Impact

Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations. PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration. Today, the threat actor confirmed to BleepingComputer that they were behind the attacks, claiming to have stolen data from 300 instances across more than 100 organizations.

PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration.

Today, the threat actor confirmed to BleepingComputer that they were behind the attacks, claiming to have stolen data from 300 instances across more than 100 organizations.

Five of the servers exposed a .bash_history file that gave some insight into the attacks, including a shell script designed to create a ransom note named “README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT” on an internal PeopleSoft server after it is breached.

Immediate Steps

1. However, they state that their attack is not working on all systems and believe that exploitation success may depend on how an instance is configured.

2. If you are running Oracle PeopleSoft, it is strongly advised that you analyze logs for any connections from the above IP addresses to determine whether you were targeted in these attacks.

The Bigger Picture

Organizations should review their exposure and apply available mitigations promptly.

Affected individuals should monitor their financial and online accounts for suspicious activity and consider enrolling in any offered credit monitoring or identity protection services. Organizations must conduct a thorough post-incident review to identify the root cause and gaps in security controls that allowed the breach to occur. Regulatory notification requirements should be assessed based on jurisdiction and the types of data involved, with legal counsel engaged early in the process. Communications teams should prepare transparent disclosure messaging for customers, partners, and regulators. Beyond the immediate response, organizations should update their data handling policies, encryption standards, and access controls to reduce the likelihood of recurrence. Third-party risk assessments may also be warranted if the breach originated with a vendor or service provider.

Sources

1. https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/
2. https://techcrunch.com/2026/06/10/cybercriminals-claim-breach-of-oracle-peoplesoft-servers-at-100-plus-organizations/
3. https://www.scworld.com/brief/shinyhunters-gang-targets-oracle-peoplesoft-servers-in-data-theft-attacks