ShinyHunters
ShinyHunters is a financially motivated cybercriminal extortion group known for data theft and "pay or leak" operations. Aliases in the provided content include bling_libra, shinyhunter, shinyhunters, shiny_hunters, UNC6040, and UNC6240. The content also references Mandiant tracking related ShinyHunters-affiliated vishing activity under clusters including UNC6240 and UNC6661. Based on the provided reporting, ShinyHunters has targeted a wide range of organizations, including insurance, telecommunications infrastructure, sports and entertainment, higher education, and education technology. Reported victims or claimed victims in the content include the National Association of Insurance Commissioners (NAIC), American Tower, Madison Square Garden / Madison Square Garden Sports / Madison Square Garden Entertainment, Instructure Canvas, and the University of Nottingham. The group is described as specializing in extortion and cascading or supply-chain-style campaigns. Multiple reports in the content state that ShinyHunters conducted "pay or leak" extortion, published stolen data on a dark web leak site, and in some cases leaked data after ransom demands were not met. The content specifically describes publication of allegedly stolen data from NAIC, American Tower, Madison Square Garden, Madison Square Garden Sports, and the European Commission-related incident where ShinyHunters later published stolen data. Tactics and techniques directly mentioned in the content include exploitation of Oracle PeopleSoft vulnerabilities, including reporting that ShinyHunters began exploiting a reported PeopleSoft zero-day on May 27 and that more than 100 organizations were compromised before Oracle released an emergency update on June 10. The content also states that ShinyHunters claimed to exploit a combination of zero-day vulnerabilities and older unpatched flaws in PeopleSoft environments, affecting both cloud-hosted and on-premises deployments. Separately, the content repeatedly associates ShinyHunters with social engineering, especially vishing. In the Madison Square Garden Entertainment intrusion, reporting cited in the content says the initial compromise occurred through a voice-phishing call to a low-level employee, leading to theft of Microsoft Entra credentials. The content also says ShinyHunters used a similar vishing playbook against Charter Communications and breached ADT by compromising an Okta SSO account and then moving into Salesforce. The content further notes that phishing-resistant MFA can eliminate social-engineering vectors exploited by groups like ShinyHunters. The group is portrayed as capable of causing major disruption without relying on malware or zero-days in every case. The content explicitly states that groups like ShinyHunters do not necessarily need malware or zero-day exploits to cause massive damage. Reported post-compromise activity includes data theft from ticketing systems, customer support platforms, SharePoint and OneDrive-related environments, and publication of large archives containing customer, corporate, and operational data. The content also links ShinyHunters to broader criminal ecosystem activity. One report says TeamPCP maintained partnerships or overlap with ShinyHunters, and another states ShinyHunters later published data stolen in the TeamPCP-related European Commission incident. The content does not provide high-confidence evidence that ShinyHunters is a nation-state actor; it is described as a cybercriminal group.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
Tradecraft
39 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
10 malware families attributed to this actor across reporting.
5 additional families tracked in Mallory.
Associated vulnerabilities
5 CVEs this actor has used in observed campaigns. 5 of them exploited in the wild.
The group added a fourth vector in June 2026: exploitation of CVE-2026-35273, a critical remote code execution zero-day in Oracle PeopleSoft PeopleTools versions 8.61 and 8.62, rated CVSS 9.8. The vulnerability sits in the Updates Environment Management component, specifically the Environment Management Hub (PSEMHUB) endpoints, and requires no authentication, no user interaction, and only HTTP network access to achieve remote code execution.
BleepingComputer reported that threat actors leveraged credentials stolen through the Trivy supply chain compromise (CVE-2026-33634) to breach Cisco's internal development environment... The CISA KEV remediation deadline for CVE-2026-33634 is today, April 8, 2026... Beyond patching Trivy to v0.69.2+, trivy-action to v0.35.0, or setup-trivy to v0.2.6, organizations must also complete credential rotation.
It has since been determined that hackers likely exploited known EBS vulnerabilities patched in July, likely along with a zero-day flaw tracked as CVE-2025-61882. The hacker groups ShinyHunters and Scattered Spider ... have published a proof-of-concept (PoC) exploit that appears to target CVE-2025-61882 ... according to Oracle, CVE-2025-61882 allows unauthenticated remote code execution. CrowdStrike has found evidence that exploitation of CVE-2025-61882 started on August 9.
CISA on Monday added CVE-2025-61884 to its Known Exploited Vulnerabilities (KEV) catalog, confirming its exploitation.
According to data obtained from a public Telegram channel operated by the ShinyHunters team, the threat actor persona ‘Yukari’ exploited an Oracle Access Manager vulnerability (CVE-2021-35587). The attack targeted financial institutions and manufacturers.
Observables
63 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Data theft and extortion activity involving exploitation of a zero-day vulnerability in Oracle PeopleSoft, with claims of stealing and leaking large volumes of victim data after compromise.
Referenced as an example of a threat group capable of causing significant damage without relying on malware or zero-day exploits.
Referenced as an attacker group associated with breaches and modern cyberattacks, demonstrating that significant damage can be caused without malware or zero-day exploits.
Conducting a "pay or leak" extortion campaign against American Tower and publishing allegedly stolen data after the attack.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.