Telegram
4 totalhttps://t.me/s/andrewfedmanhttps://t.me/shinygr0uphttps://t.me/s/SLSH6https://t.me/specialagentadam
ShinyHunters is a data-extortion threat group widely described in the provided content as operating a pure data-theft and leak-based extortion model rather than traditional file-encrypting ransomware.
Profile source: Mallory opens in a new tabShinyHunters
ShinyHunters is a data-extortion threat group widely described in the provided content as operating a pure data-theft and leak-based extortion model rather than traditional file-encrypting ransomware. Multiple sources in the content state that ShinyHunters has never encrypted victim files and instead relies on exfiltration and publication pressure via a data leak site. Reported activity includes large-scale breaches, delayed extortion after stealthy theft, and exploitation of exposed credentials, weak configurations, and vulnerable enterprise services.
The content associates ShinyHunters with social-engineering-driven intrusions, especially targeting Business Process Outsourcing personnel to obtain access to Salesforce environments by posing as IT support and coercing employees into granting legitimate access. Some activity is noted as aligning with Mandiant cluster UNC6040. The group is also described as exploiting vulnerabilities or weak configurations in widely used services such as Salesforce, Snowflake, and Oracle E-Business Suite, including references to exploitation of CVE-2025-61882 in broader reporting about data-only extortion trends.
A Unit 42 incident response case links ShinyHunters to the threat actor Bling Libra and describes a shift from selling or publishing stolen data to directly extorting victims. In that case, exposed AWS IAM credentials with AmazonS3FullAccess were used to access a victim AWS environment, enumerate S3 buckets via AWS CLI, S3 Browser, and WinSCP, and delete buckets. The attackers then attempted to create buckets named with variants of an extortion contact string and sent an extortion email claiming data access. The report notes that missing CloudTrail S3 data events and S3 server access logging limited confirmation of object-level exfiltration. Tooling indicators mentioned in the content include CloudTrail user-agent strings for S3 Browser and WinSCP, and an extortion contact email reported as shinycorp@tutonota[.]com.
Victimology in the content spans large enterprises and healthcare-adjacent organizations. Reported examples include publication of data allegedly stolen from DentaQuest, BCD Travel, Odido, Wynn Resorts, and a claimed breach of Medtronic involving unauthorized access to corporate systems and potential large-scale data exfiltration without reported clinical disruption. The content characterizes ShinyHunters as focusing on centralized data environments and mass data exfiltration, with attacks often emphasizing reputational, regulatory, and disclosure pressure rather than operational disruption.
Ransomware.live
Ransomware.live
https://t.me/s/andrewfedmanhttps://t.me/shinygr0uphttps://t.me/s/SLSH6https://t.me/specialagentadamshinyc0rp@tuta.ioRansomware.live
Reported operators
ShinyHunters operates in a few different avenues (sometimes direct extortion, sometimes extortion-as-a-service with other actors)... These attacks leverage social engineering tactics against the target organization’s Business Process Outsourcing (BPO) personnel with a specific focus on accessing Salesforce environments.
"ShinyHunters has operated this model exclusively. They have never encrypted a single victim’s file."
Exploited software
MITRE ATT&CK
Reporting
The FCC Wants to Kill Burner Phones ... Plus: AI bug hunting fuels Microsoft’s biggest-ever Patch Tuesday, ShinyHunters ransomware gang exploits an Oracle zero-day, and more.
По данным Securelist, группа ShinyHunters - характерный пример: они используют data leak site для публикации жертв, полностью исключая шифрование из kill chain.
ShinyHunters is a data extortion group specializing in large-scale data breaches and exposure of stolen datasets.
"ShinyHunters has operated this model exclusively. They have never encrypted a single victim’s file."
More recently, threat actors, including the ShinyHunters group appear to have adopted a similar approach, focusing on vulnerabilities or weak configurations in widely used services, likely not only for financial gain but also for visibility.
ShinyHunters operates in a few different avenues (sometimes direct extortion, sometimes extortion-as-a-service with other actors)... These attacks leverage social engineering tactics against the target organization’s Business Process Outsourcing (BPO) personnel with a specific focus on accessing Salesforce environments.
"Bling Libra (the group behind the ShinyHunters ransomware) showcased their new shift to extorting victims rather than their traditional tactic of selling/publishing stolen data."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.