Researchers are warning that cybercriminals exploited an Oracle PeopleSoft zero-day vulnerability and potentially infiltrated the networks of more than 100 organizations in an attack spree that largely impacted higher education.

Mandiant and Google Threat Intelligence Group said it became aware of the attacks earlier this month as part of its ongoing monitoring of ShinyHunters operations. The notorious cybercrime group claims it hacked more than 100 organizations and started naming victims and publishing allegedly stolen data Tuesday.

University of Nottingham, one of ShinyHunters’ alleged victims, on Wednesday confirmed a significant amount of student data was stolen during a cyberattack after the threat group leaked some of the school’s data.

The attacks date back to at least May 27, according to Mandiant, and involve the exploitation of CVE-2026-35273, a defect in Oracle PeopleSoft PeopleTools that allows unauthenticated attackers to execute remote code and takeover affected servers.

Oracle disclosed the vulnerability and recommended some steps for mitigation Wednesday, weeks after the attacks were already underway. The vendor hasn’t released a patch to address the defect and did not respond to a request for comment.

Google said it alerted more than 100 organizations of potentially vulnerable endpoints in their environments, but it declined to confirm how many victims are compromised. 

“This campaign is still active. We have observed ShinyHunters sending extortions as recently as today,” Charles Carmakal, chief technology officer at Mandiant Consulting, told CyberScoop Thursday evening. He added that more victims, beyond Google’s visibility, may be impacted.

Most of the potential victim pool is based in the United States and 68% are in the higher education sector, according to Google.

“We have previously observed ShinyHunters target the education sector this year, however it’s possible this targeting is representative of the majority of exposed PeopleSoft instances belonging to the sector,” Carmakal said. 

Oracle PeopleSoft PeopleTools includes more than 40 tools for human resources and customer relationship management.

The attacks come less than a year after the Clop ransomware group exploited a zero-day in Oracle E-Business Suite that affected dozens of victims. The data theft extortion campaign that followed those attacks, which began in August, didn’t get underway until October.

The post ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw appeared first on CyberScoop.

from CyberScoop https://ift.tt/4WNGVYB
https://ift.tt/6d8ASVv

Federal prosecutors have charged a Russian national with conspiracy to commit unauthorized computer access in connection with a sprawling cyber-espionage campaign linked to the Russia-aligned threat group Void Blizzard, according to a criminal complaint filed in federal court this week.

Denis Nikolayevich Obrezko, a Russian citizen, is accused of breaking into systems owned by companies in the United States and elsewhere, according to an FBI affidavit unsealed Tuesday. Investigators allege Obrezko facilitated the campaign by purchasing a virtual private server and domain names used in attacks targeting businesses, educational institutions, and other organizations.

The charges come roughly a year after Microsoft publicly identified Void Blizzard — which it also tracks as Laundry Bear — as a state-sponsored Russian threat group conducting large-scale espionage operations against government agencies, defense suppliers, and critical infrastructure providers across NATO member states, Ukraine, and beyond. Dutch intelligence and security services separately confirmed in May 2025 that the group had infiltrated the Netherlands’ national police force in September 2024, stealing work-related contact information on police staff.

The FBI affidavit describes a methodical but largely unsophisticated operation. Investigators say Void Blizzard primarily relied on stolen session tokens to authenticate to victim accounts without triggering re-authentication requirements, then used a U.S.-based commercial proxy service to mask the connection’s location. The group typically routed traffic through a VPN before selecting proxy IP addresses in the same region as a target, allowing it to bypass geographic firewall restrictions.

From June-July 2024, the FBI received tips from a foreign partner and a U.S.-based private-sector firm identifying several American companies being targeted by the emerging group. Investigators subsequently verified intrusions at 11 U.S. companies, a figure the affidavit describes as likely a fraction of the total victim count nationwide.

Void Blizzard’s methods, while not technically advanced, have proven broadly effective. Microsoft researchers noted in 2025 that the group’s success illustrates the sustained risk posed by even basic intrusion techniques when applied at scale. The group has been observed harvesting bulk email and files from compromised cloud environments, accessing Microsoft Teams conversations, and cataloging Microsoft Entra ID configurations to map organizational structures.

In April 2025, Microsoft identified a separate spear-phishing campaign attributed to Void Blizzard that targeted more than 20 non-governmental organizations in Europe and the United States, using typosquatted domains to spoof Microsoft authentication pages. The affidavit corroborates that activity, identifying domains such as miscrsosoft[.]com and micsrosoftonline[.]com registered through accounts connected to the same infrastructure used by the group.

Obrezko appeared in court Tuesday and agreed to be taken into custody while awaiting trial.

You can read the affidavit below.

The post Russian national charged in connection with Void Blizzard espionage campaign appeared first on CyberScoop.

from CyberScoop https://ift.tt/KY2tXi4
https://ift.tt/6d8ASVv