SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefFriday, June 12, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Active Exploitation of Oracle PeopleSoft Zero-Day CVE-2026-35273 | CRITICAL |
|
5 C2 IPs | 132 OTX IOCs | 33 ARTICLES |
|
■ ANALYST TLDR Today's threat landscape is dominated by the active exploitation of a critical unauthenticated remote code execution zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273) by the ShinyHunters extortion group, targeting academic institutions globally. Concurrently, new attack vectors targeting AI infrastructure have emerged, including prompt injection risks in OpenClaw and arbitrary file write exploits in Langflow. Organizations must also contend with highly evasive malware like OnyxC2 Stealer and the wormable "The Gentlemen" ransomware. |
|
■ CRITICAL STORIES ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities The unpatched zero-day allows unauthenticated remote code execution, enabling threat actors to steal sensitive enterprise data and execute double-extortion campaigns against high-value targets like the University of Nottingham. |
New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files A newly released bypass technique dubbed GreatXML allows attackers with local access to subvert Windows BitLocker encryption by manipulating XML files in the recovery partition, undermining standard endpoint data protection. |
New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets Researchers demonstrated that the popular self-hosted AI agent OpenClaw is vulnerable to indirect prompt injection, enabling attackers to execute arbitrary code and exfiltrate sensitive credentials through standard inputs. |
Hackers Exploit Langflow Vulnerability for Remote Code Execution Attackers are actively exploiting a previously disclosed vulnerability in the Langflow AI framework that allows unauthenticated arbitrary file writes, leading to complete system compromise. |
|
■ CVEs IDENTIFIED CVE-2026-35273 Oracle PeopleSoft Suite — Unauthenticated Remote Code Execution (RCE) |
[CVE-TBD] OpenClaw AI Agent — Arbitrary Code Execution and Secret Leakage via Prompt Injection |
[CVE-TBD] Langflow — Unauthenticated Arbitrary File Write leading to Remote Code Execution |
[CVE-TBD] Microsoft Windows BitLocker — Encryption Bypass via Recovery Partition XML (GreatXML) |
|
■ THREAT ACTORS ShinyHunters | Cybercrime / Extortion Group |
Exploiting CVE-2026-35273 zero-day to breach universities and steal data |
The Gentlemen | Ransomware Group |
Operating a wormable double-extortion ransomware campaign with 478 victims |
Void Blizzard | Cyberespionage (APT) |
Member Denis Obrezko extradited to the US to face charges |
|
|
|
■ ATT&CK TTPs | T1190 | | Exploit Public-Facing Application | ShinyHunters exploiting CVE-2026-35273 in Oracle PeopleSoft; attackers exploiting Langflow |
| T1486 | | Data Encrypted for Impact | Extortion and ransomware activities by ShinyHunters and The Gentlemen |
| T1574.002 | | DLL Side-Loading | Utilized by OnyxC2 Stealer to evade endpoint detection |
| T1555.003 | | Credentials from Web Browsers | Targeted by OnyxC2 Stealer to harvest credentials |
| T1566 | | Phishing | Used by OceanLotus (FireAnt campaign) and Chinese recruitment sites targeting US workers |
| T1219 | | Remote Access Software | Deployment of SPECTRALVIPER backdoor by OceanLotus |
|
■ PATCH PRIORITY Oracle PeopleSoft Suite — Active zero-day exploitation of CVE-2026-35273 allowing unauthenticated RCE — [BC] [SW] |
Langflow — Active exploitation of unauthenticated arbitrary file write leading to RCE — [SW] |
Splunk — Severe vulnerability allowing arbitrary file creation and modification — [SW] |
Palo Alto Networks — Severe vulnerability allowing unauthorized resource access — [SW] |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Apply Oracle's official mitigations immediately for CVE-2026-35273 in PeopleSoft Suite to block unauthenticated RCE. |
| 2 | [P1] Patch Langflow installations immediately to resolve the unauthenticated arbitrary file write vulnerability being actively exploited in the wild. |
| 3 | [P2] Implement input validation and strict context isolation for OpenClaw AI Agent deployments to prevent prompt injection and unauthorized code execution. |
| 4 | [P2] Update Splunk and Palo Alto Networks deployments to the latest patched versions to mitigate arbitrary file creation and unauthorized resource access. |
| 5 | [P2] Review CISA BOD 26-04 guidelines and update organizational vulnerability management policies to prioritize KEV catalog entries within the mandated 3-day window. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |