ShinyHunters Exploits Oracle Zero-Day; Qilin, Elite Squad Dominate Daily Events

Events tracked
218
Critical exposure
89

Summary

Today's threat landscape is defined by a convergence of high-impact zero-day exploitation and sustained, high-volume data breach activity. The ShinyHunters group's operational use of an unpatched Oracle PeopleSoft vulnerability against universities signals a shift toward targeting enterprise resource planning (ERP) systems as a primary initial access vector. Concurrently, the sheer volume of alleged data exposures -- 89 critical events -- underscores that opportunistic actors continue to find success across a wide range of sectors, from government and education to e-commerce and healthcare. Defenders should prioritize patching for CVE-2026-35273 and brace for a continued high tempo of data leak claims from both established ransomware crews and lower-tier actors.

Today's developments

The most significant operational development is the ShinyHunters extortion campaign exploiting CVE-2026-35273, an unpatched Oracle PeopleSoft zero-day. According to industry researchers at Mandiant, the group (tracked as UNC6240) targeted enterprise systems between May 27 and June 9, with universities being the primary victims. Oracle released a patch on June 10, but the window for exploitation was already open. This incident underscores the risk of delayed patch cycles for widely deployed ERP platforms and the increasing sophistication of financially motivated groups in weaponizing zero-day vulnerabilities before official fixes are available.

Beyond this campaign, the day's data exposure events show a broad and persistent threat. Notable alleged incidents include:

  • France under sustained pressure: Multiple claims target French entities. Actor ChimeraZ allegedly breached Jestimo (real estate) and CAPIFRANCE.FR (scope of 3.6 million records). Actor Cryptix claims a 43.5GB dataset from Free.fr Telecom. Actor Lar allegedly hit FPADEL (Federation Wallonie-Bruxelles). Actor pine claims a scrape of asendia.com yielding 1.5 million unique rows. Actor Sober allegedly breached Bleu Jour (IT services).

  • Indonesia remains a primary target: Several alleged breaches hit government and education sectors. Actor SadClown claims to have breached the High Court of East Java (Pengadilan Tinggi Jawa Timur) and the Banyumas Regency Population and Civil Registration Office. Actor B4d0kAhay alleges a sale of a Ministry of Transportation (SIMPADU) database. Actor zenhex5 claims breaches of SMK Negeri 1 Tanjung Lago and Warmadewa University. Actor BabayoErorSystem alleges a breach of Wifi.id.

  • US entities face diverse threats: Actor BhayangkaraID and Xyph0rix both claim breaches of Guns.com. Actor Orcinus orca alleges a breach of Fitbit infrastructure. Actor xpl0itrs claims a sale of data from Dynatrace. Actor GORZ ROSTAM alleges a breach of the US Navy. Actor QwErTyYyY claims a sale of driver's license photographs.

  • Other notable global incidents: Actor Vandal claims a breach of the Republic of Korea Marine Corps Veterans Association. Actor Vyntra alleges a breach of BT Group in the UK. Actor Zyphor claims a breach of the Kocaeli Metropolitan Municipality in Turkey. Actor Sober alleges breaches of Umniah (Jordan) and Direct Connect (Australia).

Industry reporting also highlighted a new Windows BitLocker bypass technique, dubbed GreatXML, released by researcher Chaotic Eclipse. The exploit leverages recovery partition XML files. Separately, researchers detailed the OnyxC2 stealer, a malware-as-a-service offering enterprise-grade theft capabilities for $250 a month, targeting over 200 applications. A Russian national was also charged in connection with the Void Blizzard espionage campaign.

Threat landscape signals

The data reveals a clear clustering of activity around specific actor groups and geographies. Elite Squad and Qilin are the most prolific actors today, accounting for 45 of the 218 tracked events. Their activity, combined with the ShinyHunters campaign, suggests that established ransomware and extortion groups are maintaining a high operational tempo. The victimology is heavily skewed toward the United States (40 events), France (11 events), and Indonesia (12 events), with government, education, and e-commerce sectors bearing the brunt.

A notable signal is the prevalence of alleged data sales and leaks from lower-tier actors (e.g., Vandal, SadClown, Sober) targeting specific local government and educational institutions in Indonesia and Mexico. This pattern indicates that initial access brokers and opportunistic data thieves are finding easy targets in under-resourced public sector organizations. The emergence of the GreatXML BitLocker bypass and the OnyxC2 stealer further points to a commoditization of both offensive tools and access, lowering the barrier to entry for less sophisticated criminals. Defenders should expect a continued deluge of data breach claims as these tools and techniques proliferate.

All incidents are reported as alleged claims by threat actors and have not been independently verified by GrayscaleInsight.

Threat intelligence is reported for security awareness purposes only and does not constitute endorsement of any actor, group, or activity.

Recent editions