Washington: Google’s cybersecurity teams have uncovered an active hacking and extortion campaign linked to the notorious cybercrime group ShinyHunters, which exploited a previously unknown vulnerability in Oracle’s PeopleSoft software to target organizations, particularly universities and educational institutions across the United States. The discovery has triggered fresh concerns about cybersecurity risks facing the education sector.
According to researchers from Google Threat Intelligence Group (GTIG) and Mandiant, the attacks took place between May 27 and June 9, before Oracle publicly disclosed the security flaw. Because no security patch was available at the time, the vulnerability functioned as a “zero-day” exploit, allowing hackers to gain unauthorized access to systems running Oracle PeopleSoft software.
PeopleSoft is widely used by universities, corporations and government agencies to manage critical operations such as human resources, payroll, finance and supply chain management. The software’s extensive adoption has made it an attractive target for cybercriminals seeking access to valuable personal and institutional data.
Google said it identified active scanning and exploitation attempts targeting vulnerable PeopleSoft servers. The company subsequently notified more than 100 organizations whose systems appeared exposed to the attacks. Most of the affected organizations were based in the United States, and approximately 68 percent belonged to the higher education sector.
Researchers found that attackers deployed customized MeshCentral remote-management tools disguised as legitimate cloud services. These tools enabled the hackers to execute administrative commands, maintain access to compromised networks and potentially steal sensitive information.
The campaign has been attributed to ShinyHunters, a cybercriminal group known for conducting data theft and extortion operations against major organizations worldwide. Security experts describe the group as one of the most active cyber extortion networks currently operating, with a history of stealing data and demanding payments from victims under threat of public disclosure.
The latest attacks follow several high-profile operations linked to ShinyHunters in recent months. The group was previously associated with a major breach involving educational technology company Instructure, the parent company of the Canvas learning platform, where student and school data were allegedly stolen and used in extortion attempts.
Cybersecurity researchers warn that educational institutions have become increasingly attractive targets because they store large volumes of personal information while often operating with limited cybersecurity resources. Universities also maintain extensive digital infrastructure that can present multiple points of entry for attackers.
Oracle issued a security advisory on June 10 regarding the vulnerability affecting PeopleSoft PeopleTools. Security experts have urged organizations using the software to immediately apply available updates, review system logs and conduct comprehensive security assessments to determine whether their networks have been compromised.
Industry analysts believe the incident highlights the growing threat posed by zero-day vulnerabilities, which allow attackers to exploit software flaws before developers can release fixes. Such attacks are particularly dangerous because organizations often remain unaware that their systems are vulnerable until after a breach has occurred.
The revelations have renewed calls for stronger cybersecurity measures across educational institutions and enterprise software environments. Experts emphasize that proactive monitoring, timely patch management and enhanced threat detection capabilities are becoming increasingly important as cybercriminal groups continue to evolve their tactics.
As investigations continue, affected organizations are working with cybersecurity teams to assess potential damage and strengthen defenses against future attacks. The incident serves as another reminder of the growing sophistication of modern cyber threats and the importance of securing critical digital infrastructure.
