Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

ShinyHunters

ShinyHunters is a data-extortion threat group widely described in the provided content as operating a pure data-theft and leak-based extortion model rather than traditional file-encrypting ransomware. Multiple sources in the content state that ShinyHunters has never encrypted victim files and instead relies on exfiltration and publication pressure via a data leak site. Reported activity includes large-scale breaches, delayed extortion after stealthy theft, and exploitation of exposed credentials, weak configurations, and vulnerable enterprise services.

The content associates ShinyHunters with social-engineering-driven intrusions, especially targeting Business Process Outsourcing personnel to obtain access to Salesforce environments by posing as IT support and coercing employees into granting legitimate access. Some activity is noted as aligning with Mandiant cluster UNC6040. The group is also described as exploiting vulnerabilities or weak configurations in widely used services such as Salesforce, Snowflake, and Oracle E-Business Suite, including references to exploitation of CVE-2025-61882 in broader reporting about data-only extortion trends.

A Unit 42 incident response case links ShinyHunters to the threat actor Bling Libra and describes a shift from selling or publishing stolen data to directly extorting victims. In that case, exposed AWS IAM credentials with AmazonS3FullAccess were used to access a victim AWS environment, enumerate S3 buckets via AWS CLI, S3 Browser, and WinSCP, and delete buckets. The attackers then attempted to create buckets named with variants of an extortion contact string and sent an extortion email claiming data access. The report notes that missing CloudTrail S3 data events and S3 server access logging limited confirmation of object-level exfiltration. Tooling indicators mentioned in the content include CloudTrail user-agent strings for S3 Browser and WinSCP, and an extortion contact email reported as shinycorp@tutonota[.]com.

Victimology in the content spans large enterprises and healthcare-adjacent organizations. Reported examples include publication of data allegedly stolen from DentaQuest, BCD Travel, Odido, Wynn Resorts, and a claimed breach of Medtronic involving unauthorized access to corporate systems and potential large-scale data exfiltration without reported clinical disruption. The content characterizes ShinyHunters as focusing on centralized data environments and mass data exfiltration, with attacks often emphasizing reputational, regulatory, and disclosure pressure rather than operational disruption.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
ShinyHunters

ShinyHunters operates in a few different avenues (sometimes direct extortion, sometimes extortion-as-a-service with other actors)... These attacks leverage social engineering tactics against the target organization’s Business Process Outsourcing (BPO) personnel with a specific focus on accessing Salesforce environments.

via coveware blogcoveware.com
Scattered Lapsus$ Hunters

"ShinyHunters has operated this model exclusively. They have never encrypted a single victim’s file."

via osint team blogosintteam.blog
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
wired com securityNews
Jun 22, 2026
Meta Exposed Data Internally From Its Controversial Employee-Tracking Program | WIRED

Referenced as a ransomware gang exploiting an Oracle zero-day.

Read more
codebyNews
Jun 6, 2026
Ransomware тренды 2026: EDR killers и detection для SOC

Named extortion operation highlighted as using pure data theft and leak-site extortion without file encryption.

Read more
polyswarmNews
May 4, 2026
Critical Condition: The 2026 Healthcare Cyber Threat Landscape

Data-extortion operation focused on mass data exfiltration and leak-based extortion rather than encryption.

Read more
osint team blogNews
Mar 5, 2026
After LockBit: The Ransomware Market Never Shrinks | by privacyinsightsolutions.com | Mar, 2026 | OSINT Team

Data-extortion actor described as focusing on data theft and publication threats (no encryption), leveraging stolen credentials/API keys and cloud misconfigurations; also contributes capabilities to the SLSH collective.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.