A university finds out it's been breached the way most victims do this season: not from an alarm, but from an email. No drives are encrypted. Nothing is locked. Nothing on the network looks broken. The only evidence that anything happened is that roughly 40 gigabytes of student records — financial aid, health files, immigration documents — are now sitting on a leak site, with a deadline attached.
There was no ransomware, in the sense everyone still pictures it. There was just theft. And it had been happening, quietly, for two weeks.
The door: one unauthenticated request
On June 10, 2026, Oracle published an emergency advisory for CVE-2026-35273, a critical (CVSS 9.8) unauthenticated remote code execution flaw in the Environment Management Hub of PeopleSoft PeopleTools 8.61 and 8.62. The vector tells the whole story: AV:N/AC:L/PR:N/UI:N — remotely over HTTP, low complexity, no privileges, no user interaction. Send the right request to the right enterprise HR system and you are running code on it.
The advisory came late. Attackers had been exploiting the bug as a zero-day since at least May 27. By the time Oracle confirmed it, Google's Threat Intelligence Group was notifying more than 100 organizations whose exposed endpoints matched the attack — and 68% of the victims were in higher education, an entire sector running the same internet-facing payroll-and-records platform.
-
May 27, 2026 — staging
The intruders settle in. They install
MeshCentral, a legitimate remote-management tool, and theacme-clientpackage to auto-provision Let's Encrypt certificates — so their access looks like sanctioned IT, not an attack. - May 27 – June 9 — quiet work Reconnaissance maps the PeopleSoft configuration. A custom propagation script moves laterally, host to host. Records are read and staged for exfiltration. Two weeks of it, with no encryption event to trip a single alarm.
- June 10, 2026 — disclosure Oracle ships the emergency fix. Cl0p and ShinyHunters are named; the extortion emails go out. For the victims, the patch is months too late to matter — the data already left.
The ransom note isn't the start of the incident. It's the receipt. By the time it arrives, the only decision left is whether to pay.
Cl0p doesn't need to encrypt you
Cl0p has run this exact play before — MOVEit, Accellion, SolarWinds. The pattern never changes: find one internet-facing enterprise application that an entire industry depends on, weaponize a zero-day before anyone's patched, exfiltrate at scale, and extort. The encryption step — the loud, theatrical, drive-locking part everyone built their defenses around — is now optional. The leverage is the data itself.
That shift quietly breaks a lot of security programs. We spent a decade learning to detect encryption: the mass file rewrites, the ransom note dropped on the desktop, the shadow copies deleted. A pure data-theft extortion produces none of that. It produces a remote-management tool that "looks like IT," a certificate that "looks routine," an account reading more records than usual, and a script touching hosts it has no business touching. Every one of those is a shrug in isolation. None of them is the thing your tooling was trained to catch.
The two weeks nobody was watching
Here is the uncomfortable part. For most of the 100-plus victims, the breach didn't hide. It was sitting in the telemetry the whole time — fourteen days of it. The MeshCentral install was logged. The new certificate was logged. The lateral movement generated events. The unusual reads against the records database were right there.
What was missing wasn't data. It was the connection between the data points — and the speed to make it before the exfiltration finished. An HR platform like PeopleSoft is exactly the kind of system that lives in the coverage gap: business-critical, internet-facing, and watched far less closely than anyone's laptops. The signals existed. The correlation didn't happen. And the attacker's clock ran for two weeks while the defender's clock never started.
Catching the chain while it's still quiet
The defense against smash-and-grab extortion is not a better ransom-note detector. It's the ability to treat a remote-management tool appearing on a records server, a freshly minted certificate, an account suddenly reading at volume, and a propagation script as one story — and to reach that verdict before the data is gone.
That's what n0limit is built to do. Every one of those signals is investigated the moment it appears — enriched, scoped, and correlated against everything else on the estate — and resolved to a verdict in under 500 microseconds, with a reasoning trail an operator can audit. A new remote tool on a PeopleSoft host doesn't land in a "review later" queue next to ten thousand other events; it's connected to the anomalous reads and the lateral movement and surfaced as a single active-exfiltration incident, while there's still time to cut the session.
When the first alert you act on is the extortion email, the campaign is already over and you lost. The entire game is the two weeks before it — and winning that requires seeing the quiet chain at machine speed, not reading the receipt at human speed.
REFERENCES
Oracle — Security Alert Advisory CVE-2026-35273 → BleepingComputer — Oracle mitigates PeopleSoft zero-day exploited in data-theft attacks → Cyber Security News — Oracle PeopleSoft 0-day RCE exploited by ShinyHunters → Rescana — CVE-2026-35273 active exploitation analysis →Related from The Signal
Catch the quiet chain before the data leaves.
See n0limit investigate and correlate every signal to a verdict in under 500 microseconds — so a smash-and-grab is an incident, not a ransom note.
Book a demo →Get The Signal in your inbox
Practitioner-level threat intel, delivered when it matters.