SYS::ONLINE
Wasteland.
Briefs1064
Issues17
SinceFeb 2026
LIVE
█ Ransomware FLUKE-CORPORATION- 2026-07-01

Fluke Corporation: ShinyHunters Ransomware Extortion

"Fluke Corporation, one of the largest US manufacturers of electronic test and measurement equipment, has been named as a victim on the extortion channels of the ShinyHunters group. According to claims posted July 1…"

Fluke Corporation, one of the largest US manufacturers of electronic test and measurement equipment, has been named as a victim on the extortion channels of the ShinyHunters group. According to claims posted July 1, 2026, the actor exfiltrated more than 21 million Salesforce records, a dataset exceeding 100GB that reportedly contains personally identifiable information. The listing states that Fluke declined to pay despite repeated offers, a signal that stolen data may be published or sold. The claims are unverified and Fluke has not issued a public statement at the time of writing.

What Happened

ShinyHunters, a data-extortion crew known for large-scale theft rather than traditional file-encrypting ransomware, added Fluke Corporation to its victim list on July 1, 2026. The group asserts it holds over 21 million records pulled from Fluke's Salesforce environment, totaling more than 100GB. The posting emphasizes that the actor extended "significant patience, multiple chances, and offers" before publicizing the breach, and that the company "failed to reach an agreement." That framing is consistent with ShinyHunters' standard playbook: quiet exfiltration, private extortion, then public naming to apply pressure. A dataset was referenced with SHA256 hash 6ee9bd06756efceb56e5c56fd4e8ab3a8006b9cb80e7c0b4405ed15b996c05fe, and the listing was updated July 2, 2026.

What Was Taken

The actor claims to have compromised over 21 million Salesforce records. The stated volume is 100GB or more, and the group indicates the trove includes "some PII." Salesforce environments typically hold customer relationship data such as contact names, business and personal email addresses, phone numbers, account histories, support cases, and commercial terms. For a test-and-measurement supplier serving industrial, laboratory, utility, and government customers, that record set can expose downstream client relationships and procurement details in addition to individual contact PII. The exact fields have not been independently confirmed.

Why It Matters

Fluke sits deep in the supply chain for calibration, electrical, and industrial diagnostics work, which makes its customer roster valuable to attackers well beyond the company itself. A CRM breach at this scale hands adversaries a curated map of buyers, contacts, and purchasing patterns that is ideal fuel for targeted phishing, business email compromise, and vendor-impersonation fraud against Fluke's clients. The incident also fits a broader 2025 to 2026 wave in which ShinyHunters and affiliated actors have systematically targeted Salesforce tenants, frequently through compromised OAuth tokens and connected third-party apps rather than by breaching a company's core network. When the extortion fails, as it reportedly has here, the data commonly surfaces on leak forums, extending the exposure window indefinitely.

The Attack Technique

The listing does not specify an initial access vector, and no intrusion method has been confirmed. However, the campaign pattern is instructive. ShinyHunters-linked Salesforce compromises through this period have repeatedly leveraged social engineering of support and sales staff, malicious or over-permissioned connected apps, stolen OAuth refresh tokens, and voice-phishing to trick employees into authorizing rogue data-loader tools. Once a valid session or API token is obtained, mass export of records is fast and often invisible to controls tuned only for network intrusions. Treat the Salesforce integration and identity layer as the likely pivot point rather than assuming a perimeter breach.

What Organizations Should Do

Sources: Ransom! Fluke Corporation (JUL-2026)