ShinyHunters extortion brand — Council of Europe named, Kodak and One Medical added to the leak-site pressure

The ShinyHunters extortion brand (the data-theft cluster Google tracks as UNC6240) ran on two fronts this week. The technical core remains the Oracle PeopleSoft zero-day campaign (CVE-2026-35273) consolidated in the W24 weekly, and Google's Threat Intelligence Group sharpened it this week: GTIG's analysis confirms UNC6240 exploited the flaw between 27 May and 9 June as a zero-day, has notified 100+ organisations (68% in higher education), and documented the TTPs — JSP shell implant, a customised MeshCentral agent masquerading as Azure cloud endpoints, [victim]_fanout.sh SSH credential-spraying and zstd-compressed exfiltration (Google GTIG). On 2026-06-16 ShinyHunters listed the Council of Europe — the 46-member Strasbourg human-rights body of which Switzerland is a member — claiming roughly 297 GB exfiltrated; per W1's assessment it is the only named European-institution victim in the campaign to date (SecurityWeek, 2026-06-16; daily 06-16). In parallel the brand expanded its leak-site extortion pressure beyond PeopleSoft: Eastman Kodak confirmed on 2026-06-17 that "an unauthorized third party illegally gained access to a limited amount of company data" after a ShinyHunters listing (SecurityWeek, 2026-06-19; daily 06-20), and Amazon's One Medical confirmed a legacy third-party file-storage breach while ShinyHunters' unverified 8.8 TB claim ran a deadline that expired 2026-06-21 (BankInfoSecurity, 2026-06-20; daily 06-21).

The cross-day pattern for a CH/EU SOC: the same brand is simultaneously running a confirmed enterprise-SaaS zero-day (PeopleSoft, vendor-confirmed) and a higher-noise leak-site operation where claims (Kodak data volume, the One Medical 8.8 TB figure) are attacker-asserted and partly unverified. Triage the two differently — the PeopleSoft exposure is a patch-and-hunt emergency for internet-reachable instances; the leak-site listings warrant victim-notification monitoring but the headline data volumes should be treated as unconfirmed until the victim corroborates.