Back to Intelligence

UNC6240 (ShinyHunters): CVE-2026-35273 Oracle PeopleSoft Zero-Day Exploitation with MeshCentral C2 Infrastructure

SA
Security Arsenal Team
July 11, 2026
8 min read

OTX pulse data reveals a sophisticated campaign by UNC6240 (also known as ShinyHunters) targeting the education sector, specifically higher education institutions in the United States. Between May 27 and June 9, 2026, the actor exploited CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in Oracle PeopleSoft's Environment Management component. This represents a zero-day exploitation campaign that preceded Oracle's official security advisory on June 10, 2026.

The attack chain demonstrates advanced capabilities:

  1. Initial Access: Zero-day exploitation of CVE-2026-35273 in Oracle PeopleSoft applications
  2. Command and Control: Deployment of MeshCentral remote administration platform
  3. Persistence: Establishment of long-term access mechanisms
  4. Data Collection: Harvesting of sensitive academic and institutional data
  5. Lateral Movement: Expansion of access within compromised networks

The primary objective appears to be data extortion, with over 100 organizations potentially affected during the campaign window. UNC6240's use of legitimate remote administration tools (MeshCentral) enables them to blend in with normal administrative activities while exfiltrating sensitive credentials and data.

Threat Actor / Malware Profile

UNC6240 (ShinyHunters)

UNC6240 is a financially motivated threat group with a history of high-profile data breaches and extortion operations. The group has evolved from opportunistic website defacements to sophisticated supply chain attacks and zero-day exploitation campaigns. Their focus on the education sector suggests strategic targeting of institutions with valuable intellectual property and personal data.

MeshCentral

MeshCentral is a legitimate open-source remote management platform that UNC6240 has repurposed for malicious C2 operations. The platform provides comprehensive remote administration capabilities including file management, command execution, and process control.

Distribution Method

  • Zero-day exploitation: CVE-2026-35273 in Oracle PeopleSoft Environment Management component
  • Webshell deployment: Initial foothold through vulnerable web applications
  • Spear-phishing: Potential secondary method for expanding access

Payload Behavior

  • Establishes remote administrative access to compromised systems
  • Provides file management capabilities for data staging and exfiltration
  • Enables command execution for lateral movement and privilege escalation
  • Facilitates credential harvesting from memory and configuration files

C2 Communication

  • Infrastructure: Uses MeshCentral's web-based platform for C2 operations
  • Observed domains: azurenetfiles.net
  • Protocols: HTTPS (port 443) for encrypted communications
  • Beaconing: Periodic check-ins for tasking and data exfiltration

Persistence Mechanism

  • Scheduled tasks for automated agent execution
  • Service installation for MeshCentral agent persistence
  • Registry modifications for maintaining system access
  • Potential use of WMI event subscriptions

Anti-Analysis Techniques

  • Living off the Land: Uses legitimate remote administration tools to blend with normal administrative activity
  • Encrypted communications: HTTPS tunneling to avoid detection by network monitoring
  • Process masquerading: Potential renaming of malicious components
  • Anti-VM checks: May implement virtual machine detection to evade analysis environments

IOC Analysis

The provided IOCs offer several detection opportunities for security teams:

Indicator Types

  • URL: http://azurenetfiles.net:443/agent.ashx - Likely the MeshCentral agent download URL
  • Domain: azurenetfiles.net - C2 domain for MeshCentral infrastructure
  • CVE: CVE-2026-35273 - The vulnerability exploited for initial access
  • File Hashes: Multiple SHA256, MD5, and SHA1 hashes associated with MeshCentral agent and related malware components

Operational Guidance for SOC Teams

  1. Immediate Blocking: Implement firewall rules blocking azurenetfiles.net and related subnets
  2. EDR Scanning: Deploy hash-based detection rules for all provided file hashes
  3. Web Filtering: Block URLs matching the MeshCentral agent download pattern
  4. Vulnerability Scanning: Identify all Oracle PeopleSoft instances potentially vulnerable to CVE-2026-35273
  5. Log Monitoring: Configure alerts for PeopleSoft application anomalies and unusual administrative activities

Recommended Tooling

  • SIEM Solutions: For log correlation and alerting based on IOCs
  • EDR Platforms: For file hash scanning, process monitoring, and behavioral analysis
  • Network Traffic Analysis: To identify C2 communications and data exfiltration patterns
  • Vulnerability Scanners: To identify and prioritize patching of Oracle PeopleSoft instances
  • Threat Intelligence Platforms: For continuous monitoring of new IOCs related to this campaign

Detection Engineering

Sigma Rules

YAML
---
title: Suspicious MeshCentral Agent Download
id: 564d18ce-281e-4e0c-9c54-908e0940f352
description: Detects download of MeshCentral agent from suspicious domains
status: experimental
date: 2026/07/11
author: Security Arsenal
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: proxy
    product: zeek
detection:
    selection:
        uri|contains: '/agent.ashx'
        host|endswith:
            - '.net'
    filter:
        host|notcontains:
            - 'meshcentral.com'
    condition: selection and not filter
falsepositives:
    - Legitimate use of MeshCentral in educational institutions
level: high
---
title: Oracle PeopleShell Exploitation Attempt
id: a7d32a9c-f56e-4a81-b219-ec6729b67e03
description: Detects potential exploitation of CVE-2026-35273 in Oracle PeopleSoft
status: experimental
date: 2026/07/11
author: Security Arsenal
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: web
    product: apache
detection:
    selection:
        cs-uri-query|contains:
            - 'EnvironmentManagement'
        cs-method:
            - 'POST'
    condition: selection
falsepositives:
    - Legitimate administration of Oracle PeopleSoft
level: high
---
title: MeshCentral C2 Traffic Detection
id: 8cf3c9a7-d421-4c86-bc1d-4b4b74c8b3e5
description: Detects suspicious C2 communications associated with MeshCentral agent
status: experimental
date: 2026/07/11
author: Security Arsenal
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort: 443
        Initiated: 'true'
    filter_legitimate:
        DestinationHostname|contains:
            - 'meshcentral.com'
            - 'meshcentral.net'
    filter_ioc:
        DestinationHostname|contains:
            - 'azurenetfiles.net'
    condition: selection and not filter_legitimate or filter_ioc
falsepositives:
    - Legitimate MeshCentral usage
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for MeshCentral C2 traffic
DeviceNetworkEvents
| where Timestamp >= ago(14d)
| where RemoteUrl in ("azurenetfiles.net", "http://azurenetfiles.net:443/agent.ashx")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemotePort, RemoteIP
| order by Timestamp desc

// Hunt for potential CVE-2026-35273 exploitation attempts
DeviceNetworkEvents
| where Timestamp >= ago(14d)
| where RemoteUrl has "EnvironmentManagement" and InitiatingProcessFileName has "web" 
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RequestHeaders
| order by Timestamp desc

// Hunt for files with known malicious hashes
DeviceFileEvents
| where Timestamp >= ago(14d)
| where SHA256 in ("c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f", "2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35", "68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309")
   or MD5 == "ebcf977806f68af3147e0b78b55f6aed"
   or SHA1 == "cc19e502e4201cc974c753b96429027925224f53"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, SHA256, MD5, SHA1
| order by Timestamp desc

PowerShell IOC Hunt Script

PowerShell
# MeshCentral IOC Hunt Script
# This script checks for MeshCentral artifacts and associated IOCs

# Check for known malicious file hashes
$knownHashes = @(
    "c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f",
    "2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35",
    "68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309"
)

# Check processes
Write-Host "Checking for processes with known hashes..."
$processes = Get-Process | Where-Object {$_.Path -ne $null}
foreach ($process in $processes) {
    $hash = (Get-FileHash -Path $process.Path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($knownHashes -contains $hash) {
        Write-Host "ALERT: Process with known malicious hash found:" $process.Name $process.Path -ForegroundColor Red
    }
}

# Check files in common directories
Write-Host "Checking for files with known hashes..."
$directories = @("$env:TEMP", "$env:APPDATA", "$env:LOCALAPPDATA", "C:\ProgramData")
foreach ($dir in $directories) {
    if (Test-Path $dir) {
        $files = Get-ChildItem -Path $dir -Recurse -Include *.exe,*.dll,*.ps1,*.vbs -ErrorAction SilentlyContinue
        foreach ($file in $files) {
            $hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($knownHashes -contains $hash) {
                Write-Host "ALERT: File with known malicious hash found:" $file.FullName -ForegroundColor Red
            }
        }
    }
}

# Check for MeshCentral-related files and services
Write-Host "Checking for MeshCentral-related artifacts..."
$meshCentralFiles = @("meshagent.exe", "meshservice.exe", "MeshCentral.exe")
$services = Get-Service | Where-Object {$_.DisplayName -like "*Mesh*" -or $_.DisplayName -like "*mesh*"}
if ($services) {
    Write-Host "ALERT: Potential MeshCentral services found:" $services.DisplayName -ForegroundColor Red
}

# Check for scheduled tasks related to MeshCentral
Write-Host "Checking for MeshCentral-related scheduled tasks..."
$scheduledTasks = Get-ScheduledTask | Where-Object {$_.TaskName -like "*mesh*" -or $_.TaskName -like "*Mesh*"}
if ($scheduledTasks) {
    Write-Host "ALERT: Potential MeshCentral scheduled tasks found:" $scheduledTasks.TaskName -ForegroundColor Red
}

# Check network connections to known C2 domains
Write-Host "Checking for connections to known C2 domains..."
$c2Domains = @("azurenetfiles.net")
$connections = Get-NetTCPConnection | Where-Object {$_.State -eq "Established"}
foreach ($conn in $connections) {
    try {
        $remoteEndpoint = [System.Net.Dns]::GetHostEntry($conn.RemoteAddress)
        if ($remoteEndpoint.HostName -like "*azurenetfiles*") {
            Write-Host "ALERT: Connection to known C2 domain found:" $remoteEndpoint.HostName "PID:" $conn.OwningProcess -ForegroundColor Red
        }
    } catch {
        # If DNS resolution fails, continue
    }
}

Write-Host "IOC hunt complete."


# Response Priorities

Immediate (Now)

  • Block the domain azurenetfiles.net at network perimeter devices and web proxies
  • Scan all systems for the provided file hashes using EDR solutions
  • Check for exploitation attempts related to CVE-2026-35273 in Oracle PeopleSoft instances
  • Isolate any systems showing signs of compromise or suspicious activity
  • Implement temporary network restrictions on Oracle PeopleSoft administration interfaces

24 Hours

  • Verify credentials of all administrative accounts with access to Oracle PeopleSoft systems
  • Review logs for signs of lateral movement or data exfiltration
  • Apply Oracle's security patch for CVE-2026-35273 (released June 10, 2026)
  • Implement network segmentation for Oracle PeopleSoft infrastructure
  • Conduct targeted hunting for MeshCentral-related artifacts across endpoints

1 Week

  • Conduct a thorough security assessment of Oracle PeopleSoft implementations
  • Implement additional monitoring for suspicious activities related to remote management tools
  • Review and update security policies for remote access tools
  • Conduct security awareness training for IT staff managing Oracle PeopleSoft systems
  • Deploy deception technology to detect early signs of future compromise attempts
  • Implement application-specific WAF rules for Oracle PeopleSoft protection

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsshinyhuntersunc6240meshcentraloracle-peoplesoftzero-day

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.