Every incident this week traces back to the same underlying condition: defenders trusted something they should not have. Universities trusted that their ERP vendor would warn them before attackers started exploiting a flaw. A humanitarian organization trusted that a self-registration portal carried lower risk than the data it collected. Ransomware groups trusted that their financial plumbing was invisible to law enforcement. And employees across thousands of organizations trusted that a signed software installer from a recognizable vendor name was exactly what it claimed to be.
Last week we tracked ShinyHunters running social engineering calls against SaaS-heavy enterprises. This week the same group demonstrated they have also acquired server-side zero-day capability — and used it against ERP infrastructure that hospitals, government agencies, and universities depend on for payroll, HR, and student records. Alongside that: the largest known breach of humanitarian beneficiary data, the dismantling of a $389 million crypto laundry that kept ransomware economically viable, and a credential stealer shipping as a subscription service with a money-back detection guarantee.
This week: a CVSS 9.8 zero-day that gave attackers unauthenticated access to 100-plus institutions before Oracle published a single advisory, 600,000 Gaza aid-recipient households whose location and identity data is now in unknown hands, a law enforcement action that reveals how your ransom payments actually move, and enterprise-grade credential theft at $250 a month.
Update: ShinyHunters — Oracle PeopleSoft Zero-Day (CVE-2026-35273)
What happened:
Last week we covered ShinyHunters running vishing calls against employees to access Salesforce instances. This week the group demonstrated a materially different and more alarming capability. ShinyHunters compromised approximately 300 Oracle PeopleSoft installations spanning more than 100 organizations — including universities, hospitals, and government agencies — by chaining a newly discovered zero-day with older known vulnerabilities, while Oracle’s emergency advisory stopped short of delivering a full patch for an actively exploited flaw. The campaign was observed between May 27 and June 9, 2026 — several days before Oracle publicly warned customers about the vulnerability, making it a true zero-day attack throughout its entire operational window. ShinyHunters claimed over 100 breaches including approximately 500,000 student records from the University of Nottingham alone.
Technical details that matter:
CVE-2026-35273 is a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10 on CVSS. It requires no login and no user interaction — only network access over HTTP — to take over the server. The vulnerability sits in the Updates Environment Management component, specifically the Environment Management Hub (PSEMHUB).
The technical mechanism is a “gadget chain” — a technique that links multiple vulnerabilities, combining the newly discovered CVE-2026-35273 zero-day with older known flaws to produce exploitation that neither component enables independently. This approach allowed ShinyHunters to achieve unauthenticated access at scale across PeopleSoft deployments. Post-exploitation, attackers deployed MeshCentral backdoors for persistent remote access and executed a fanout script for lateral movement. Mandiant was able to fully reconstruct the TTPs because the attackers left open directories containing their own tools and command histories — a rare operational security failure that produced a complete attack blueprint for defenders.
One indicator worth hunting for immediately: outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations, which the exploit chain may use to capture machine-account NetNTLM hashes. ShinyHunters says victim outreach has only just started and has not posted most of the organizations it claims, so more names are likely to surface in coming weeks.
Why critical institutions should care:
PeopleSoft functions as an enterprise resource planning backbone across universities, hospitals, and government agencies worldwide, consolidating HR records, payroll data, financial information, and student administration records into a single integrated system that administrators and employees depend on for daily operations. The real concern for healthcare and government operators is not just the data category — it is that a single unauthenticated HTTP request over the public internet was the entire attack path into those systems. ShinyHunters is a data-extortion group, not a ransomware operator, which means the data is very likely already exfiltrated and the leverage clock is already running for every organization that ran an internet-exposed PSEMHUB during that window. The pivot from vishing-against-SaaS to server-side ERP zero-day exploitation is a significant tactical expansion. The open question, flagged by Mandiant, is whether this represents a one-off borrowed zero-day or the beginning of ShinyHunters moving into ERP exploitation as a sustained capability.
Key sources:
- https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
- https://sqmagazine.co.uk/oracle-peoplesoft-zero-day-shinyhunters-campaign/
- https://dailysecurityreview.com/resources/oracle-peoplesoft-cve-2026-35273-shinyhunters-breaches-100-orgs/
- https://www.abhs.in/blog/oracle-peoplesoft-cve-2026-35273-shinyhunters-100-breach-university-nottingham-2026
World Food Programme Gaza Self-Registration Breach
What happened:
The breach occurred on May 14, 2026, and resulted in the exposure of sensitive personal information belonging to approximately 600,000 households in Gaza. Compromised data includes names, ID numbers, mobile numbers, and location details. The World Food Programme said that “unauthorized parties” had accessed data stored in its self-registration application, where individuals register for food and cash assistance after completing a verification process. The UN agency temporarily suspended the registration platform while investigating the incident. This incident is considered the largest breach of humanitarian beneficiary data to date.
The publicly known timeline includes a detail that sharpens the accountability picture: an anonymous whistleblower told reporters that an independent expert had warned WFP’s beneficiary feedback mechanism about vulnerabilities in the self-registration application two days before the breach occurred on May 14. The breach was not publicly confirmed until June 2 — a three-week gap during which the data remained in unknown hands while the platform stayed operational.
Technical details that matter:
No threat actor has been publicly attributed and WFP has not disclosed the attack vector. WFP confirmed the breach was confined to the Palestine instance and did not touch SCOPE, the agency’s global beneficiary identity management system that holds records on tens of millions of aid recipients worldwide. The data set is unusual in its operational specificity: neighborhood-level location data combined with verified national ID numbers and phone numbers creates a ready-made targeting package that goes well beyond ordinary PII. This is identity data collected specifically because it was verified — the WFP registration process requires proof of identity to receive aid, which means the compromised records are more reliable than most breached datasets.
Why critical institutions should care:
The WFP incident illustrates a risk pattern that applies directly to any organization running a public-facing registration, intake, or benefits portal. The data collected for patient intake, grant applications, benefits enrollment, or program registration often carries a much higher operational sensitivity than the system’s security classification reflects — because its value to a threat actor is determined by what the data enables, not by what it cost to collect. A 2017 audit of WFP’s systems had already flagged the need for major improvement in how the agency safeguarded beneficiary data — meaning this breach followed a documented, unresolved warning by nearly a decade. For healthcare organizations running patient portals and government agencies running benefits or licensing systems: a pre-breach vulnerability warning that does not result in remediation is not a mitigating factor in a breach investigation. It is an aggravating one, and regulators and plaintiff attorneys both know how to find it.
Key sources:
- https://therecord.media/un-food-agency-investigates-gaza-aid-breach
- https://www.thenewhumanitarian.org/news/2026/06/02/data-600000-gaza-households-exposed-wfp-cyber-attack
- https://www.theregister.com/security/2026/06/05/world-food-programme-breach-exposes-data-of-600k-vulnerable-gazan-families/5251605
- https://opsecinsider.com/wfp-gaza-data-breach/
AudiA6 / Dark2Web Crypto Laundering Takedown
What happened:
On June 10-11, 2026, global law enforcement agencies including the U.S. Department of Justice, Secret Service, and Europol announced the successful disruption of AudiA6, one of the most prolific cryptocurrency laundering networks used by the cybercriminal ecosystem. The coordinated takedown included the arrest of two suspected senior administrators — a 37-year-old Ukrainian national and a 25-year-old Russian national — in the Republic of Georgia. Authorities simultaneously dismantled the associated Dark2Web darknet forum, which served as a marketplace connecting ransomware affiliates and other cybercriminals worldwide. The network is suspected of laundering more than EUR 336 million in illicit funds between 2022 and 2025.
Technical details that matter:
AudiA6 operated as a professional crypto laundering service advertised openly on underground forums. Cybercriminals, including ransomware affiliates, could transfer stolen cryptocurrency to wallets controlled by the service and receive cleaned funds within approximately one hour. The laundering process relied on rapid, complex transaction chains designed to obscure the origin of funds across multiple wallets and exchanges. The network’s obfuscation methodology relied heavily on over 6,000 KYC-verified money mule accounts to rapidly wash stolen digital assets through centralized cryptocurrency exchanges — meaning the service actively recruited and managed a global workforce of identity-verified account holders as the final conversion layer.
Europol linked the laundering platform to more than 15 investigations involving ransomware campaigns and large-scale cryptocurrency theft. Analysis revealed that 393 BTC came directly from ransomware organizations, dark web markets, and similar cybercrime platforms, with additional illicit funds routed indirectly through the platform to blend with clean transactions. The coordinated enforcement action on June 10 resulted in three property searches, the seizure of more than 30 servers, the takedown of 25 domains, the confiscation of over 80 vehicles and multiple properties in Georgia, and the freezing of EUR 692,000 in cryptocurrency.
Why critical institutions should care:
This takedown is not primarily a law enforcement story — it is a window into the financial infrastructure that makes ransomware economically viable as a sustained criminal business model. The reason ransomware groups can run multi-year campaigns targeting hospitals and government agencies is that services like AudiA6 absorb the financial risk of converting extortion proceeds into spendable currency, typically within an hour of receipt. Europol’s 2026 Internet Organized Crime Threat Assessment flags the industrialization of cryptocurrency laundering as a core cybercrime service, with ransomware groups increasingly leveraging chain-hopping, decentralized exchanges, and mixer-as-a-service platforms to rapidly move funds across blockchains and evade anti-money laundering controls. For critical institution leaders, the direct implication is this: when your organization pays a ransom, those funds move through infrastructure like AudiA6 within hours and capitalize the next campaign against a hospital, a water utility, or a school district. Incident response playbooks and board-level breach response plans should address the ransom payment decision as a policy matter — with full understanding of downstream consequences — before a crisis requires a decision in hours.
Key sources:
- https://www.bleepingcomputer.com/news/legal/authorities-dismantle-audia6-ransomware-crypto-laundering-service/
- https://thehackernews.com/2026/06/europol-disrupts-audia6-crypto.html
- https://www.chainalysis.com/blog/law-enforcement-dismantles-audia6-laundering-network-june-2026/
- https://www.helpnetsecurity.com/2026/06/12/europol-audia6-crypto-laundering-service-ransomware-groups/
OnyxC2 Malware-as-a-Service: Enterprise Credential Theft at $250/Month
What happened:
The OnyxC2 stealer surfaced on a cybercrime network earlier this year and is available through Malware-as-a-Service starting at $250 per month. The rental price sits at the higher end of stealer costs, justified primarily by its stealth and reach. The developers offer a standard tier at $250/month, a premium tier including Hidden Virtual Network Computing (HVNC) at $500/month, and full source code for $6,000 — and are sufficiently confident in their evasion capability to offer refunds if the build gets detected. BlackFog researchers identified that OnyxC2 targets over 210 applications and extensions, including browsers, password managers, cryptocurrency wallets, FTP clients, and email clients.
Technical details that matter:
Inside each delivery archive is a two-file package built for DLL sideloading. The first file is a legitimately signed application that Windows trusts without question; the second is a malicious DLL named to match a library the signed program loads at startup. When the victim runs what looks like an installer, the trusted program unknowingly loads the attacker’s code from the same folder. The malicious DLL is padded past 120 MB by mimicking a real NVIDIA graphics library, with genuine-looking exported function names embedded inside — because many antivirus scanners skip large files to save processing time, and the actual payload sits encrypted inside, only decrypting at runtime.
Both delivery archives came back clean on their first VirusTotal upload, and the malicious component inside them was still unflagged as of May 30, 2026. Beyond credential harvesting, the stealer incorporates HVNC for persistent remote access, LSASS memory dumping for extracting hashed and plaintext credentials directly from Windows memory, and a reverse SOCKS5 proxy for tunneling traffic. Each build is uniquely mutated per customer, meaning the same binary will not generate a signature match across separate campaigns.
The risk is further amplified by the malware’s supply chain angle: attackers do not need to exploit vulnerabilities in signed binaries — simply placing a malicious DLL with the expected name alongside a trusted executable is sufficient. OnyxC2 leverages the integrity of the software supply chain to facilitate infection.
Why critical institutions should care:
OnyxC2 is not notable because it is new. Credential stealers are common. It is notable because it represents the full commoditization of enterprise-grade evasion capability — the kind of technical sophistication that previously required a skilled threat actor is now available to anyone with a $250 monthly budget and a plausible lure. The LSASS dumping capability is the most immediate concern for healthcare and financial institutions: it bypasses password hashing protections and extracts credentials directly from Windows memory, including credentials for EHR systems, core banking platforms, VPN gateways, and Active Directory. The detection guarantee — refunds if the build is flagged — is a business model signal. It means the developers are running ongoing QA against major AV and EDR products, and your detection stack’s coverage gap is effectively their product roadmap. The $6,000 source code option also means independent threat actors can build custom variants outside the MaaS tracking, making attribution and IOC-based detection progressively less reliable over time.
Key sources:
- https://www.securityweek.com/onyxc2-stealer-offers-cybercriminals-enterprise-grade-theft-for-250-a-month/
- https://securityaffairs.com/193523/malware/onyxc2-malware-as-a-service-offers-enterprise-grade-data-theft.html
- https://cybersecuritynews.com/hackers-use-onyxc2-malware-as-a-service/
- https://www.scworld.com/brief/onyxc2-stealer-sold-as-a-service-targets-over-210-applications
The Pattern This Week
Four stories, one underlying condition: defenders are operating on assumptions that attackers have already invalidated. The PeopleSoft campaign assumed that ERP vendors notify customers before exploitation begins. The WFP breach assumed that a public-facing intake portal carries lower risk than the data it actually holds. AudiA6’s existence assumed that ransomware economics would eventually self-limit without intervention. OnyxC2’s refund policy assumes that detection is the attacker’s primary operational risk.
None of those assumptions held this week.
The tactical shift worth tracking across the ShinyHunters incidents specifically: last week it was social engineering calls against SaaS-connected employees, this week it was a CVSS 9.8 unauthenticated server-side zero-day against ERP infrastructure. These are not the same playbook. A threat actor group that can credibly run both — and apparently move between them based on target profile — is no longer a credential phishing operation that got lucky. It is an adaptive adversary with multiple acquisition capabilities and a coherent victim selection strategy. The open question Mandiant is asking, which every healthcare and government operator should be asking alongside them, is whether this was a borrowed capability or a built one.
See you next week.
What Your Business Can Do This Week
These four incidents share a structural problem — defenders trusted a system, a signal, or a process that attackers had already figured out how to abuse — but each has a specific action that closes a real gap.
- If your organization runs Oracle PeopleSoft PeopleTools 8.61 or 8.62: block all external access to PSEMHUB endpoints today, before anything else on this list. Oracle has released mitigations but not a full patch as of this writing. The attack required nothing except network access to that component over HTTP. If PSEMHUB is internet-reachable, your exposure started May 27. Check access logs for unexpected HTTP requests to /PSEMHUB/update paths, and hunt for outbound SMB traffic on port 445 from your PeopleSoft servers to external addresses — that is a signal the exploit chain may have captured NetNTLM credentials from your environment.
- Audit every public-facing registration, intake, or enrollment portal against the data it actually collects. The WFP case is a direct model for the risk: the system was classified as a web application; the data it held was operationally equivalent to a surveillance database. Classify intake portals at the sensitivity level of their misuse potential, not their collection context. If your patient portal, benefits enrollment system, or licensing application collects name, address, government ID, and contact information, it belongs in the same security tier as your EHR or financial system — not below it. And if you have received any vulnerability disclosure or researcher report about a portal in the last 24 months that has not been fully remediated, pull that record today. Unresolved pre-breach warnings are now a documented aggravating factor in regulatory investigations and litigation.
- Establish your organization’s ransom payment policy before you are in a breach, not during one. The AudiA6 takedown provides a documented picture of exactly where ransom payments go and how quickly they move. Boards that have not formally addressed the ransom payment question — including the downstream consequences, the legal reporting requirements, and the decision authority — are making that decision under maximum duress with minimum information when an incident actually occurs. The policy question is not just ethical. Payment reporting requirements under CIRCIA carry 24-hour deadlines once a payment is made. If your incident response plan does not include who decides, under what criteria, and what happens immediately after, the gap is material.
- Test your endpoint detection stack against DLL sideloading with oversized, signed loaders. OnyxC2 survives on AV scanners that skip large files. Run a controlled test: drop a large, legitimately signed executable alongside a renamed DLL in a monitored test environment and see whether your EDR generates an alert on the sideloading behavior rather than waiting to detect a known-malicious hash. If your detection relies on signature matching alone, the gap is already being sold as a product feature by the people building tools like OnyxC2. Add behavioral detections for LSASS memory access by non-system processes — that specific technique underpins credential theft from EHR systems, banking platforms, and Active Directory in healthcare and finance environments.
- Run ShinyHunters’ updated playbook — now including ERP exploitation — against your asset inventory as a tabletop. Last week the scenario was: one vishing call, one SaaS account, bulk CRM export. This week add a second branch: internet-exposed PeopleSoft or other ERP, unauthenticated access, HR and payroll data exfiltrated before your vendor issues an advisory. The tabletop question for both branches is the same: if an adversary has read access to your HR and payroll system or your CRM right now, how long until you know, and what data can they take before your first alert fires?