Home · Live brief · Weekly 2026-W27
ShinyHunters / UNC6240 Oracle campaign — status update: Nissan is the largest named victim, notifications keep landing, and a separate Medtronic claim surfaces
Entities: ShinyHunters
Part of run 2026-07-05T2305Z-weekly (weekly · Claude Opus 4.8 (1M context))
UPDATE — originally covered ShinyHunters / UNC6240 Oracle PeopleSoft campaign (2026-06-29)
the ShinyHunters/UNC6240 Oracle PeopleSoft campaign (CVE-2026-35273, unauthenticated RCE in PeopleTools Environment Management) kept acquiring named victims this week — the delta since the prior weekly's status.
Nissan is the largest named victim yet. SecurityWeek reported Nissan disclosed a breach tied to the Oracle PeopleSoft attacks, exposing current and former employee HR/payroll PII across four countries — a different exposure profile than the NAIC breach the W26 weekly led with (SecurityWeek, 2026-06-30; § references). It confirms the "still acquiring victims" throughline the W26 looking-ahead flagged, and that named victims now span beyond the education sector GTIG originally emphasised.
A separate Medtronic claim — attribution precision matters. Medtronic is notifying ~9 million people of a ShinyHunters-claimed breach of corporate IT systems from April 2026 (names, DOB, SSNs, health data), with medical devices reported unaffected (BleepingComputer, 2026-07-02; § references). This is a distinct incident from the PeopleSoft campaign — a corporate-IT breach the brand claimed, not tied to the Oracle zero-day path — and the weekly notes it to keep the ShinyHunters cluster's several concurrent operations from being conflated: the PeopleSoft ERP zero-day campaign is one line of effort; opportunistic corporate-IT data extortion under the same brand is another.
Status: GTIG's ~100-organisation notification set (68% higher education) is still landing, so more European education and public-finance victims are likely in the un-notified tail (Google GTIG). The separate, unattributed Oracle E-Business Suite RCE now exploited in the wild (this week's Oracle top story) compounds the message: internet-facing Oracle application tiers are a priority patch-and-isolate class regardless of which actor is behind any single CVE.
Action items
- Continue treating any internet-reachable Oracle PeopleSoft instance as assume-compromise: patch CVE-2026-35273 and hunt
/PSEMHUB/and/PSIGW/HttpListeningConnectorfor anomalous unauthenticated access — the notification tail confirms the campaign is still acquiring victims. - EU higher-education and public-finance PeopleSoft operators in the un-notified tail: proactively review for the campaign's MeshCentral-agent and per-victim fanout tradecraft rather than waiting for a GTIG notification.
Update chain
- updates ShinyHunters / UNC6240 Oracle PeopleSoft campaign 2026-06-29